Tails

#2 Updated by dareaper 2018-01-07 11:29:56

intrigeri wrote:
> Electrum listens to a (apparently random) high TCP port in Tails 3.3. I’ve tried to connect to this port from the Unsafe Browser and I see in the logs that our firewall blocked it. Same with curl on the command line from both the amnesia and root users. Then I’ve tried to connect to this port from Tor Browser and the connection failed (no firewall log, I think that Tor Browser blocked the attempt itself).
>
> Could you please clarify why you think Tails is affected by the security issue?

I’m sorry If was unclear in the bug description. Kind of new to this.

Basically the Electrum vulnerability doesn’t affect TAILS, but it affects the user’s Electrum wallet funds if the user uses an older version of electrum (below 3.0.4) and browses a webpage that has some form of malicious javascript that scans for open JSON-RPC interface ports. If it finds one (considering older version of electrum didn’t have this encrypted / password protected) then it’ll attempt to steal the users funds if and only if the users wallet isn’t set with a password.

Electrum 3.0.4 disables CORS which will prevent such port scans and lookups until another newer version of electrum would be released with a password protection enabled for it.

Hence, this bug isn’t about TAILS, but affects users who use older versions of Electrum on TAILS with the risk of them losing funds. I request you to kindly update the electrum on TAILS to version 3.0.4

#3 Updated by intrigeri 2018-01-07 11:40:12

> if the user uses an older version of electrum (below 3.0.4) and browses a webpage that has some form of malicious javascript that scans for open JSON-RPC interface ports. If it finds one (considering older version of electrum didn’t have this encrypted / password protected) then it’ll attempt to steal the users funds if and only if the users wallet isn’t set with a password.

This is precisely what I’ve tried to verify and failed: it appears that our firewall and browsers configuration blocks connections to that JSON-RPC interface. Hence my request for more information from you. So let me rephrase: how exactly would an attacker exploit this in Tails?

#4 Updated by dareaper 2018-01-07 14:10:10

intrigeri wrote:
> > if the user uses an older version of electrum (below 3.0.4) and browses a webpage that has some form of malicious javascript that scans for open JSON-RPC interface ports. If it finds one (considering older version of electrum didn’t have this encrypted / password protected) then it’ll attempt to steal the users funds if and only if the users wallet isn’t set with a password.
>
> This is precisely what I’ve tried to verify and failed: it appears that our firewall and browsers configuration blocks connections to that JSON-RPC interface. Hence my request for more information from you. So let me rephrase: how exactly would an attacker exploit this in Tails?

A couple of things. I’m not sure on how the attacker would exploit this in TAILS and I don’t know how to code the Javascript exploit to be able to perform this and write down the reproduction steps. Also, if TAILS does block JSON-RPC connections via the firewall that’s good, but I’ve been also told otherwise (https://bitcointalk.org/index.php?topic=2701891.msg27639317#msg27639317). Anyways, Electrum 3+ contains support for Segwit addresses for Bitcoin which helps reduce transaction fees if many users start using it. Hence, I still request TAILS to include version 3.0.4 for the users to benefit from the added features. The current version is pretty old to be honest.

#6 Updated by s7r 2018-01-08 02:28:52

Answering:
- update to 3.0.4 is not sufficient because it only removes the CORS code, it does not protect the RPC interface properly with a password.

- there is ticket Feature #15022 to upgrade Electrum in Tails. Electrum 3.0.5 was just released which:
a) properly protects the RPC interface with a password (128 bit of entropy if not set by user);
b) disables RPC commands entirely when the GUI is running (only allows ping, to make sure one single instance is running)

3.0.5 was just uploaded to unstable and then it will be ported to stretch-backports and included in Tails.

As for the discussion related to how Electrum in Tails can be exploited (Tails itself doesn’t have any problems). Older version of Electrum are not exploitable in Tails particular firewall setup, looking from the ‘malicious website attack’ point of view, where the only ways in are Unsafe Browser and Tor Browser which are properly configured to NOT allow access to Electrum daemon’s RPC interface. I can’t explain why.

Internal traffic from localhost to localhost is allowed in Tails (?):
source: https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/ferm/ferm.conf

<code class="text">
table filter {
        chain INPUT {
            policy DROP;

            # Established incoming connections are accepted.
            mod state state (ESTABLISHED) ACCEPT;

            # Traffic on the loopback interface is accepted.
            interface lo ACCEPT;
        }
</code>

or is it stopped on OUTPUT chain? This is some neat firewall we have.

curl was blocked by the firewall because it’s configured to go only through Tor, without being able to reach localhost.

Prior to 3.0.5, Electrum in GUI mode would (at least theoretically) require to talk to the daemon via RPC, but I don’t understand exactly why it works in our system like this. Maybe already established connections are allowed and new ones dropped?

#7 Updated by intrigeri 2018-01-10 15:55:04

> Internal traffic from localhost to localhost is allowed in Tails (?):
> […]
> or is it stopped on OUTPUT chain? This is some neat firewall we have.

The latter: see the outerface lo section in the OUTPUT chain.

> Prior to 3.0.5, Electrum in GUI mode would (at least theoretically) require to talk to the daemon via RPC, but I don’t understand exactly why it works in our system like this. Maybe already established connections are allowed and new ones dropped?

I don’t understand, sorry!

#9 Updated by s7r 2018-01-12 20:45:08

intrigeri wrote:
> > Prior to 3.0.5, Electrum in GUI mode would (at least theoretically) require to talk to the daemon via RPC, but I don’t understand exactly why it works in our system like this. Maybe already established connections are allowed and new ones dropped?
>
> I don’t understand, sorry!

In versions prior to 3.0.5 of Electrum, when Electrum GUI was started, the daemon was first started in the background and Electrum GUI (theoretically) explicitly required RPC to talk to Electrum daemon. As of 3.0.5 the GUI doesn’t have this requirement, so the RPC server is almost entirely disabled when Electrum is running in GUI mode (only ping is allowed to check if running true/false, that’s all).

I guess we can mark this as duplicate and we’ll stick on Feature #15022? 3.0.5 just landed in testing, waiting for `stable-backports` currently `stretch-backports`.