The iguana
service spawned by Agama running on port 17777 doesn’t have any authentication protecting it’s endpoints.
It has some protection in the form of:
- Only accepting connections for localhost
- A CORS policy of
Access-Control-Allow-Origin:http://127.0.0.1:3000
However this provides a false sense of security and doesn’t actually protect against much.
Any website the user visits can issue localhost requests via JavaScript, which will bypass the localhost limitation and be processed by iguana
.
Cross-Origin Resource Sharing (CORS) only stops a website from being able to read the response, it can still issue requests. This means any third party can make whatever requests to iguana
it wants and iguana
will process them. The website just can’t read the response.
However, you can even get around the CORS policy with a technique called DNS rebinding which will trick the web browser into thinking it’s domain name resolves to 127.0.0.1 and will therefore satisfy the CORS policy and allow the responses to be read.
This means that just by having Agama running, users are vulnerable to losing all their funds.
- User has Agama running
- User visits malicious website
- Website executes a DNS rebinding attack tricking the browser into thinking it’s domain resolves to localhost
- Website sends a request to http://127.0.0.1:17777/shepherd/electrum/coins to get the users address
- Website sends a request to http://127.0.0.1:17777/shepherd/electrum/getbalance?coin=KMD&address=<victim_address> to get the users balance
- Website sends a request to http://127.0.0.1:17777/shepherd/electrum/createrawtx?coin=KMD&address=<attacker_address>&value=<victim_balance>&change=<victim_address>&gui=true&push=true&verify=true to send all of the users funds to themself
If you know the victims address you can pull this off without DNS rebinding. You could set up a fake faucet website and then clear their balance when they enter their address to receive coins. Or if you see them post their address on Slack/Reddit you could easily convince them to click a link.
I would consider this extremely high severity. If I put up a website making use of DNS rebinding so no user interaction is needed for the attack to execute and just posted a link to the site with an interesting title on Slack and Reddit. Anyone who clicked the link while having Agama running would instantly lose all their funds to me.
This looks like it will probably effect all instances of iguana
/shepherd
, not just when it’s spawned via Agama. However I’ve only tested this against Agama.
The API endpoint should only process requests from properly authenticated users. Similar to how marketmaker
does after jl777/SuperNET#563
it's secured via tokens same as in mm
https://github.com/KomodoPlatform/Agama/blob/dev/routes/shepherd/electrum/auth.js#L7