Agama Authentication Bypass Vulnerability

agama-iguana-authentication-bypass-vulnerability.md

Agama/Iguana Authentication Bypass Vulnerability

The Vulnerability

The iguana service spawned by Agama running on port 17777 doesn’t have any authentication protecting it’s endpoints.

It has some protection in the form of:

• Only accepting connections for localhost
• A CORS policy of Access-Control-Allow-Origin:http://127.0.0.1:3000

However this provides a false sense of security and doesn’t actually protect against much.

Any website the user visits can issue localhost requests via JavaScript, which will bypass the localhost limitation and be processed by iguana.

Cross-Origin Resource Sharing (CORS) only stops a website from being able to read the response, it can still issue requests. This means any third party can make whatever requests to iguana it wants and iguana will process them. The website just can’t read the response.

However, you can even get around the CORS policy with a technique called DNS rebinding which will trick the web browser into thinking it’s domain name resolves to 127.0.0.1 and will therefore satisfy the CORS policy and allow the responses to be read.

The Attack

This means that just by having Agama running, users are vulnerable to losing all their funds.

• User has Agama running
• User visits malicious website
• Website executes a DNS rebinding attack tricking the browser into thinking it’s domain resolves to localhost
• Website sends a request to http://127.0.0.1:17777/shepherd/electrum/coins to get the users address
• Website sends a request to http://127.0.0.1:17777/shepherd/electrum/getbalance?coin=KMD&address=<victim_address> to get the users balance
• Website sends a request to http://127.0.0.1:17777/shepherd/electrum/createrawtx?coin=KMD&address=<attacker_address>&value=<victim_balance>&change=<victim_address>&gui=true&push=true&verify=true to send all of the users funds to themself

If you know the victims address you can pull this off without DNS rebinding. You could set up a fake faucet website and then clear their balance when they enter their address to receive coins. Or if you see them post their address on Slack/Reddit you could easily convince them to click a link.

I would consider this extremely high severity. If I put up a website making use of DNS rebinding so no user interaction is needed for the attack to execute and just posted a link to the site with an interesting title on Slack and Reddit. Anyone who clicked the link while having Agama running would instantly lose all their funds to me.

This looks like it will probably effect all instances of iguana/shepherd, not just when it’s spawned via Agama. However I’ve only tested this against Agama.

The Solution

The API endpoint should only process requests from properly authenticated users. Similar to how marketmaker does after jl777/SuperNET#563

it's secured via tokens same as in mm
https://github.com/KomodoPlatform/Agama/blob/dev/routes/shepherd/electrum/auth.js#L7

Ahh, sorry, I was running an old version. Just checked the latest release and it is now validated by a token.

However it's not the same as mm. In mm the token is a hash of the pass phrase which has very high entropy and is infeasible to guess. In Agama the token is just a hash of the timestamp when the app was opened:

const appSessionHash = md5(Date.now().toString());

https://github.com/KomodoPlatform/Agama/blob/8781345ab4782e84da326307408ec07a5cd4fb4c/main.js#L57

This is not cryptographically secure. It's feasible to guess, you just need to start from the hash of the current timestamp and iterate backwards until you get the correct hash.

This is still a pretty major vulnerability, although slightly more inconvenient to execute than described in my initial post.

Fixed in this PR: KomodoPlatform/Agama#55