Scope
The analyzed resources are located on:
https://github.com/chain4travel/caminogo
Summary
Weaknesses
This section contains the list of discovered weaknesses.
1. DNS REBINDING IN THE RPC API
Severity:
Status:
Fixed
Description:
Camino node exposes the administrator functionality via /ext/admin RPC API endpoint. For example, it is possible to retrieve a private key of the node by sending the following payload:
{
"jsonrpc": "2.0",
"id": 1,
"method" : "admin.getNodeSigner"
}
While /ext/admin is disabled on public nodes, it is still possible to access administrator endpoints from the internet via DNS rebinding when a node is run locally. To do so, an attacker lures a victim with a running local Camino node on an HTML page with a specially crafted JavaScript scenario. After the victim visits the malicious page, A record in DNS settings is automatically changed to resolve to the locally running node (127.0.0.1), this page periodically sends admin.getNodeSigner HTTP requests to the local node of the victim, and after some time the browser receives an updated DNS information and starts to resolve a malicious domain to the local node service thus bypassing Same Origin Policy. For example, in Safari it takes roughly 10 minutes for the browser to fetch new DNS settings. In Chrome there is a protection from this attack that explicitly forbids 127.0.0.1, however it can be bypassed by setting 0.0.0.0 in the A record.
Proof of concept:
<script>
flag = false;
setInterval(function() {
if(!flag) {
var http = new XMLHttpRequest();
var params = "{\r\n \"jsonrpc\":\"2.0\",\r\n \"id\" :1,\r\n \"method\" :\"admin.getNodeSigner\",\r\n \"params\": {\r\n \"alias\":\"P\"\r\n }\r\n}";
http.open("POST", "/ext/admin", true);
http.setRequestHeader("Content-Type","application/json");
http.onreadystatechange = function() {
if(http.readyState == 4 && http.status == 200) {
console.info(http.status);
console.info(http.responseText);
document.write(http.responseText);
flag = true;
}
}
http.send(params);
}
}, 1000);
</script>
Remediation:
The following mitigation options are available:
- TLS for the RPC API: the certificate's Common Name of the local Camino node will not match the attacker's hostname,
- user authentication enforcement: if there is no authentication, RPC cannot be accessed, this behavior should not be optional,
- validation of the Host header in HTTP requests: Host header will contain the attacker's hostname
2. POSSIBLE DOS BY SETTING MULTISIG ALIAS
Severity:
Status:
Fixed
Description:
A multisig alias is a mapping of some address to several other addresses that sign transactions together with a specific threshold of required signatures. This alias can be any address including those single-party addresses that already exist and interact with the Camino blockchain. Thus, if such address is marked as a multisig alias it will not be able to perform some actions, specifically those where signatures are checked with VerifyMultisigPermission. For instance, RegisterNodeTx will fail since it will treat tx.ConsortiumMemberAuth as a multisig alias which resolves to a group of addresses. In this scenario an attacker would register an existing consortium member's address as a multisig alias blocking their ability to perform crucial operations with the Camino network.
Proof of concept:
"Not happy path - consortium member is marked as multisig": {
generateArgs: func() args {
return args{
oldNodeID: ids.EmptyNodeID,
newNodeID: newNodeID,
consortiumMemberAddress: caminoPreFundedKeys[4].PublicKey().Address(),
keys: []*crypto.PrivateKeySECP256K1R{newNodeKey, caminoPreFundedKeys[4]},
change: &outputOwners,
}
},
preExecute: func(t *testing.T, tx *txs.Tx) {
env.state.SetMultisigAlias(&multisig.Alias{
ID: caminoPreFundedKeys[4].Address(),
Owners: &secp256k1fx.OutputOwners{
Threshold: 2,
Addrs: []ids.ShortID{
caminoPreFundedKeys[0].Address(),
caminoPreFundedKeys[1].Address(),
},
},
})
env.state.SetAddressStates(caminoPreFundedKeys[4].Address(), txs.AddressStateConsortiumBit)
unlinkNode(caminoPreFundedKeys[4].Address(), newNodeID)
},
expectedNodeID: newNodeID,
},
}
Remediation:
As of now, it is not possible to set multisig aliases after genesis, however if in future MultisigAliasTx can be executed publicly, the described threat will be possible. As such, sanity checks should be performed on which addresses are set as aliases in SyntacticVerify.
SECURITY HEADERS ARE NOT CONFIGURED FOR WALLET.CAMINO.FOUNDATION
Severity:
Status:
Fixed
Description:
Web wallet https://wallet.camino.foundation lacks vital security HTTP headers which could provide additional protection against client-side threats.
Remediation:
The response should include the following HTTP headers:
- Strict-Transport-Security
- Content-Security-Policy
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- Permissions-Policy
4. JAVASCRIPT SCHEMA IS ALLOWED IN API EXPLORER URL
Severity:
Status:
Fixed
Description:
In the Camino wallet it is possible to add new networks and specify custom explorer URL. In this field there are no schema checks. For instance, it is possible to add an explorer URL with javascript: schema.
This schema is later rendered unsanitized in links.
Remediation:
Although there is no direct impact, the best practice is to allow only specific schemas, for example only https.