Pages:
Author

Topic: Electrum 4.2.2 Released (Read 577 times)

newbie
Activity: 1
Merit: 0
November 30, 2022, 02:19:54 AM
#40
Eric from https://www.Unciphered.com here:

If you want to see the attack in action it starts at 17:28 - https://www.youtube.com/watch?v=yMz_Gfxkkks in our talk: SEC-T 0x0E: Eric Michaud & Tom Smith - Crypto Vuln Cornucopia - From the archives of Team Kairos.

The vulnerability we found existed in from 2.1 and every version to now 4.2.1 and forks of Electrum Wallet. We disclose the most utilized wallets by user base beyond Electrum Wallet in the talk that patched in a coordinated disclosure. The team EW was great to work with.

The reality of the vulnerability is that we wrote the Windows exploit in about a week once we determined the flaw which was a Python Open statement. People who have specialization writing exploits for say...iOS could take the vulnerability potentially and write a exploit for iPhone. We just wanted to prove we could get shell and/or steal a wallet which we did.

After that we reached out as fast as we could to get this patched. We wouldn't be surprised if someone wanted to write an exploit for TAILs/iOS/Android/Mac/etc etc each in the future for the versions from 4.2.1 and backwards.

Happy to chat more about this and other vulnerabilities we're discovering during work.

-E.
newbie
Activity: 8
Merit: 0
July 24, 2022, 07:25:17 PM
#39
Thanks so much, that is brilliant!  Smiley
legendary
Activity: 2268
Merit: 18748
July 24, 2022, 01:21:22 PM
#38
It only holds the Electrum wallet: two USB sticks: one for the red (hot), one for the blue (cold) version. It comes up once I bypass to the hard drive on my old laptop.
Ok. So you have Electrum installed on both your internet enabled computer, and your airgapped computer. You have two separate USB drives. The first USB drive holds a watch only wallet which you only connect to your internet enabled computer. The second USB drive holds a full wallet (including private keys) which you only connect to your airgapped computer. Is this correct?

If so, then it should be fairly easy to update your Electrum installations. On the internet enabled computer, simply download, verify, and install the latest version. For the airgapped computer, download and verify the latest version on your internet enabled computer, then use a third USB drive which is recently formatted and contains no other data to move the necessary files over to your airgapped computer and install.
newbie
Activity: 8
Merit: 0
July 24, 2022, 11:27:24 AM
#37
 "It is still not clear to me whether your USB drive holds only your Electrum wallet files, or the entire Electrum directory including your wallet files and the software itself - can you open the Electrum software on your airgapped device without the USB drive connected?"

It only holds the Electrum wallet: two USB sticks: one for the red (hot), one for the blue (cold) version. It comes up once I bypass to the hard drive on my old laptop.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
July 23, 2022, 12:13:09 PM
#36
Just because nobody has mentioned xargs yet, and it's a very useful command that's installed on all shells - therefore can be used for all commands, I will be replying to this one-month-old reply here.

Edited 2;

How do I include non-alphanumeric chars in an password in the following command:
Code:
./run_electrum create -W "MyDummyPass!#$%word321" --seed_type="segwit" --encrypt_file="MyDummyPass!#$%word321"
But the prompt simply removes some of those non-alphanumeric chars and acts like if the command is not complete and I get the "new line" no finish the command with the '>' symbol, you know?
If I remove the non-alphanumeric chars, the command runs correctly.

Use xargs to pass the password argument to Electrum. It does not expand strings or escape them, and you get the added benefit that your password won't be on your bash history file:

Code:
you@localhost$ xargs ./run_electrum create
-W "MyDummyPass!#$%word321" --seed_type="segwit" --encrypt_file="MyDummyPass!#$%word321"

And you type the arguments after create on standard input.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
July 23, 2022, 12:06:40 PM
#35
Thanks, guys, for your fast reply. My Electrum wallet only opens on the USB Drive in Linux. So I will try to download the Linux upgrade directly on the USB drive and transfer the file to the Electrum wallet. Hope I understand this correctly?  Undecided
If you have a seed phrase from an Electrum wallet, as far as I know, you can use it for a new Electrum wallet.
If you are unsure about reformatting your old USB Drive, try using another USB Drive and install the updated Linux along with the last update Electrum wallet. Create a new wallet using the seed.

This is actually what I do when I want to interact with a cold wallet.  It's rare that I need to interact with my cold funds, so I don't save any trace.  I don't even save the OS once I'm done.  Installing a fresh, minimal version of Ubuntu doesn't take long, and the seed is all that's needed to sign transactions.

The only disadvantage of restoring from seed is that the seed phrase doesn't store data for labels assigned to transactions and addresses, or any frozen coins and addresses.
legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
July 21, 2022, 09:13:58 AM
#34
Thanks, guys, for your fast reply. My Electrum wallet only opens on the USB Drive in Linux. So I will try to download the Linux upgrade directly on the USB drive and transfer the file to the Electrum wallet. Hope I understand this correctly?  :-\
If you have a seed phrase from an Electrum wallet, as far as I know, you can use it for a new Electrum wallet.
If you are unsure about reformatting your old USB Drive, try using another USB Drive and install the updated Linux along with the last update Electrum wallet. Create a new wallet using the seed.
legendary
Activity: 2268
Merit: 18748
July 21, 2022, 05:34:16 AM
#33
Thanks, guys, for your fast reply. My Electrum wallet only opens on the USB Drive in Linux. So I will try to download the Linux upgrade directly on the USB drive and transfer the file to the Electrum wallet. Hope I understand this correctly?  Undecided
I think you need to be clear there is a difference between the Electrum wallet software which you are downloading from the website and is used to show you the GUI and to create new wallets, and your Electrum wallet file which is specific to you and holds your private keys and therefore your coins. It is still not clear to me whether your USB drive holds only your Electrum wallet files, or the entire Electrum directory including your wallet files and the software itself - can you open the Electrum software on your airgapped device without the USB drive connected?

Either way, as I said above, you should not connect that USB drive to an internet enabled device, as that defeats the purpose of having a cold wallet.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
July 20, 2022, 06:58:09 PM
#32
Thanks, guys, for your fast reply. My Electrum wallet only opens on the USB Drive in Linux. So I will try to download the Linux upgrade directly on the USB drive and transfer the file to the Electrum wallet. Hope I understand this correctly?  Undecided

If I were you, I'd copy the wallet files onto the off-line computer, then format the USB drive before you plug it into an on-line computer.  Once plugged into the online computer you can download and verify the electrum appimage file, and save it on the USB drive.  Now you can transfer the new version to the off-line machine to manage your wallets.

I imagine you have an off-line computer so that you never have to subject your cold wallet to the internet.  If so, even plugging in a USB stick containing a cold wallet into an on-line PC is not recommended, and easily avoided.
newbie
Activity: 8
Merit: 0
July 20, 2022, 05:26:52 PM
#31
Thanks, guys, for your fast reply. My Electrum wallet only opens on the USB Drive in Linux. So I will try to download the Linux upgrade directly on the USB drive and transfer the file to the Electrum wallet. Hope I understand this correctly?  Undecided
legendary
Activity: 2268
Merit: 18748
July 20, 2022, 02:45:52 PM
#30
My Electrum wallet is installed on a USB drive, and I access it on an airgapped computer (going on hard drive only, it is Linux, in essence, right?).
If Electrum is installed on your airgapped computer, then you will need to download and verify the latest version of Electrum on an internet connected computer and then transfer this file over to your airgapped computer to be installed. I would use a completely clean USB drive to do this.

I have the cold and hot wallet version on the USB drive. So technically, can I download the upgrade directly on to the USB drive when connecting to the Internet? Many Thanks, in advance!
I don't understand what you mean by "cold and hot wallet version on the USB drive". There is only one latest version of Electrum. Whether it is cold or hot depends on if the device you are running it on is permanently airgapped or not. If that USB drive also contains your wallet file, you should never be connecting it to a computer with an internet connection if you want it to be a cold wallet.
newbie
Activity: 8
Merit: 0
July 20, 2022, 12:28:14 PM
#29
"You say your cold wallet is "on the Linux USB drive" - can you elaborate? Do you have an entire OS and Electrum running live from this USB drive? Or do you have Linux and Electrum installed on an airgapped computer and it is simply the wallet file which is stored on the USB drive?"

My Electrum wallet is installed on a USB drive, and I access it on an airgapped computer (going on hard drive only, it is Linux, in essence, right?).
I have the cold and hot wallet version on the USB drive. So technically, can I download the upgrade directly on to the USB drive when connecting to the Internet? Many Thanks, in advance!
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
July 16, 2022, 02:15:04 PM
#28
Hi, Can anyone help explain how to upgrade a cold storage Electrum wallet on the Linux USB drive?
It has not been used since 2017. I have the seed phrase, pass code, etc. It opens, but I cannot send it to the exchange.

Many Thanks, in advance!

Do you mean you have a live USB drive with Electrum installed on it?  You don't really need to do that, you can just download the latest appimage and use that instead since it doesn't need to be installed.

Before you can sign a transaction on the offline machine, you'll need to create it in a watch-only wallet first.  If you don't have a watch only wallet, you can create one by exporting the master public key from the offline wallet.
legendary
Activity: 2268
Merit: 18748
July 16, 2022, 02:14:41 PM
#27
Since version 4.0.1, Electrum has replaced their old transaction format with PSBTs, so you will need both your watch only wallet and your cold wallet to be at least this version or you will find they are incompatible and your cold wallet will not sign the transaction.

You say your cold wallet is "on the Linux USB drive" - can you elaborate? Do you have an entire OS and Electrum running live from this USB drive? Or do you have Linux and Electrum installed on an airgapped computer and it is simply the wallet file which is stored on the USB drive?
newbie
Activity: 8
Merit: 0
July 16, 2022, 02:05:25 PM
#26
Hi, Can anyone help explain how to upgrade a cold storage Electrum wallet on the Linux USB drive?
It has not been used since 2017. I have the seed phrase, pass code, etc. It opens, but I cannot send it to the exchange.

Many Thanks, in advance!
legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
June 28, 2022, 10:04:49 PM
#25
-snip-
Edited 2;

How do I include non-alphanumeric chars in an password in the following command:
Code:
./run_electrum create -W "MyDummyPass!#$%word321" --seed_type="segwit" --encrypt_file="MyDummyPass!#$%word321"

But the prompt simply removes some of those non-alphanumeric chars and acts like if the command is not complete and I get the "new line" no finish the command with the '>' symbol, you know?
If I remove the non-alphanumeric chars, the command runs correctly.
Password should be set with --password="password"
-w will set the value as the new wallet's name and path, if not set, it will be named "default_wallet".
encrypt_file=true/false prompts to encrypt the wallet file with the password (default - true) or just the master private key (false).
"passphrase" works the same as 'BIP39 passphrase' if you want to extend the seed phrase.

Here's an example create command:
Code:
run_electrum create -w "new_wallet" --seed_type=segwit --password="abc123!@#$%^&*()" --offline
Here's an example restore command to make an "imported wallet":
Code:
run_electrum restore -w "new_wallet" "p2wpkh:WIF_Private_Key1 p2wpkh-p2sh:WIF_Private_Key2" --password="abc123!@#$%^&*()" --offline
Prepend the address' script type depending on the address that you need to import (only three types are currently available):
  • p2wpkh: Native SegWit (bech32)
  • p2wpkh-p2sh: Nested SegWit
  • p2pkh: Legacy (default)
hero member
Activity: 1274
Merit: 681
I rather die on my feet than to live on my knees
June 28, 2022, 01:58:24 PM
#24
I just tried to download the sources, install dependencies but it still complains about not having pyQt5 installed. Is this impossible?
The source should run with commands without launching the GUI and the GUI's requirements.
You just have to add parameters or commands to "run_electrum" and it should not try to open the GUI.

e.g.:
Code:
run_electrum -w="WALLET'S_PATH" signmessage "tb1qxxxxxxxxxxxxxxxxxxxxxxxaswa08ff" "MessageMessage" --offline
It will return with the signature.

For more options, use 'help': run_electrum -h

Hi.

I just got home and I tried the help command. It worked. However I was looking for the command to create a new wallet but I couldn't find any. The closest thing I could find is the "make_seed". Will this create a new wallet? I'm just asking out of curiosity because the goal is to import a private key and then sign messages with that impoted address/private key!

And also, another question. I see there is a deamon and a gui options. The deamon is for what? To be able to provide some kind of RPC server for other applications to be able to access Electrum commands?


Edited;
Hum, I'm just experimenting and apparently, to create a new wallet, we just run something like:

Code:
./run_electrum create --offline

Then we are provided with the seed key that we should securely save and the default path to the default wallet!
And alsso seems that I need to have a daemon running before start running commands.

Edited 2;

How do I include non-alphanumeric chars in an password in the following command:
Code:
./run_electrum create -W "MyDummyPass!#$%word321" --seed_type="segwit" --encrypt_file="MyDummyPass!#$%word321"

But the prompt simply removes some of those non-alphanumeric chars and acts like if the command is not complete and I get the "new line" no finish the command with the '>' symbol, you know?
If I remove the non-alphanumeric chars, the command runs correctly.
legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
June 27, 2022, 09:09:43 PM
#23
I just tried to download the sources, install dependencies but it still complains about not having pyQt5 installed. Is this impossible?
The source should run with commands without launching the GUI and the GUI's requirements.
You just have to add parameters or commands to "run_electrum" and it should not try to open the GUI.

e.g.:
Code:
run_electrum -w="WALLET'S_PATH" signmessage "tb1qxxxxxxxxxxxxxxxxxxxxxxxaswa08ff" "MessageMessage" --offline
It will return with the signature.

For more options, use 'help': run_electrum -h
hero member
Activity: 1274
Merit: 681
I rather die on my feet than to live on my knees
June 27, 2022, 04:22:26 PM
#22
Hello,

I'm not a very frequent user of Electrum Wallet or any other wallet other than the ones in Bitcoin Core and Core Lightning but I need a wallet to sign messages using bech32 addresses which I think Bitcoin Core doesn't support. But the PC where I want to install Electrum doesn't have a desktop installed. Only the command line.

Is it possible to install and run Electrum wallet in a no gui environment by running the software only through the command line?
I just tried to download the sources, install dependencies but it still complains about not having pyQt5 installed. Is this impossible?
legendary
Activity: 2268
Merit: 18748
June 22, 2022, 01:15:20 AM
#21
Yeah, I've had to do this in a pinch.  I was at work and needed a nested segwit address for some reason, so I made a temporary wallet with my Electrum seed phrase.  All I had to do was lie to the software and pretend the seed was a bip39, and it let me do what I wanted.  Pretty easy tweak, but for obvious reasons I don't recommend it.
Ahh sure, that's one way of doing it. In that case you aren't using your Electrum seed phrase as an Electrum seed phrase at all (with the Electrum specific salt), but rather as a (most likely) invalid BIP39 seed phrase (with the BIP39 specific salt). I was thinking of using an Electrum seed phrase as an Electrum seed phrase, but forcing Electrum to ignore the incorrect version number and derive at a custom derivation path, which would require tinkering in the source code rather than just selecting the BIP39 option in the restore menu.

Either way, not recommended, and I'll stop before I go any further off topic.
Pages:
Jump to: