Author

Topic: Electrum 4.2.2 Released (Read 577 times)

newbie
Activity: 1
Merit: 0
November 30, 2022, 02:19:54 AM
#40
Eric from https://www.Unciphered.com here:

If you want to see the attack in action it starts at 17:28 - https://www.youtube.com/watch?v=yMz_Gfxkkks in our talk: SEC-T 0x0E: Eric Michaud & Tom Smith - Crypto Vuln Cornucopia - From the archives of Team Kairos.

The vulnerability we found existed in from 2.1 and every version to now 4.2.1 and forks of Electrum Wallet. We disclose the most utilized wallets by user base beyond Electrum Wallet in the talk that patched in a coordinated disclosure. The team EW was great to work with.

The reality of the vulnerability is that we wrote the Windows exploit in about a week once we determined the flaw which was a Python Open statement. People who have specialization writing exploits for say...iOS could take the vulnerability potentially and write a exploit for iPhone. We just wanted to prove we could get shell and/or steal a wallet which we did.

After that we reached out as fast as we could to get this patched. We wouldn't be surprised if someone wanted to write an exploit for TAILs/iOS/Android/Mac/etc etc each in the future for the versions from 4.2.1 and backwards.

Happy to chat more about this and other vulnerabilities we're discovering during work.

-E.
newbie
Activity: 8
Merit: 0
July 24, 2022, 07:25:17 PM
#39
Thanks so much, that is brilliant!  Smiley
legendary
Activity: 2268
Merit: 18771
July 24, 2022, 01:21:22 PM
#38
It only holds the Electrum wallet: two USB sticks: one for the red (hot), one for the blue (cold) version. It comes up once I bypass to the hard drive on my old laptop.
Ok. So you have Electrum installed on both your internet enabled computer, and your airgapped computer. You have two separate USB drives. The first USB drive holds a watch only wallet which you only connect to your internet enabled computer. The second USB drive holds a full wallet (including private keys) which you only connect to your airgapped computer. Is this correct?

If so, then it should be fairly easy to update your Electrum installations. On the internet enabled computer, simply download, verify, and install the latest version. For the airgapped computer, download and verify the latest version on your internet enabled computer, then use a third USB drive which is recently formatted and contains no other data to move the necessary files over to your airgapped computer and install.
newbie
Activity: 8
Merit: 0
July 24, 2022, 11:27:24 AM
#37
 "It is still not clear to me whether your USB drive holds only your Electrum wallet files, or the entire Electrum directory including your wallet files and the software itself - can you open the Electrum software on your airgapped device without the USB drive connected?"

It only holds the Electrum wallet: two USB sticks: one for the red (hot), one for the blue (cold) version. It comes up once I bypass to the hard drive on my old laptop.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
July 23, 2022, 12:13:09 PM
#36
Just because nobody has mentioned xargs yet, and it's a very useful command that's installed on all shells - therefore can be used for all commands, I will be replying to this one-month-old reply here.

Edited 2;

How do I include non-alphanumeric chars in an password in the following command:
Code:
./run_electrum create -W "MyDummyPass!#$%word321" --seed_type="segwit" --encrypt_file="MyDummyPass!#$%word321"
But the prompt simply removes some of those non-alphanumeric chars and acts like if the command is not complete and I get the "new line" no finish the command with the '>' symbol, you know?
If I remove the non-alphanumeric chars, the command runs correctly.

Use xargs to pass the password argument to Electrum. It does not expand strings or escape them, and you get the added benefit that your password won't be on your bash history file:

Code:
you@localhost$ xargs ./run_electrum create
-W "MyDummyPass!#$%word321" --seed_type="segwit" --encrypt_file="MyDummyPass!#$%word321"

And you type the arguments after create on standard input.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
July 23, 2022, 12:06:40 PM
#35
Thanks, guys, for your fast reply. My Electrum wallet only opens on the USB Drive in Linux. So I will try to download the Linux upgrade directly on the USB drive and transfer the file to the Electrum wallet. Hope I understand this correctly?  Undecided
If you have a seed phrase from an Electrum wallet, as far as I know, you can use it for a new Electrum wallet.
If you are unsure about reformatting your old USB Drive, try using another USB Drive and install the updated Linux along with the last update Electrum wallet. Create a new wallet using the seed.

This is actually what I do when I want to interact with a cold wallet.  It's rare that I need to interact with my cold funds, so I don't save any trace.  I don't even save the OS once I'm done.  Installing a fresh, minimal version of Ubuntu doesn't take long, and the seed is all that's needed to sign transactions.

The only disadvantage of restoring from seed is that the seed phrase doesn't store data for labels assigned to transactions and addresses, or any frozen coins and addresses.
legendary
Activity: 2296
Merit: 2892
#SWGT CERTIK Audited
July 21, 2022, 09:13:58 AM
#34
Thanks, guys, for your fast reply. My Electrum wallet only opens on the USB Drive in Linux. So I will try to download the Linux upgrade directly on the USB drive and transfer the file to the Electrum wallet. Hope I understand this correctly?  :-\
If you have a seed phrase from an Electrum wallet, as far as I know, you can use it for a new Electrum wallet.
If you are unsure about reformatting your old USB Drive, try using another USB Drive and install the updated Linux along with the last update Electrum wallet. Create a new wallet using the seed.
legendary
Activity: 2268
Merit: 18771
July 21, 2022, 05:34:16 AM
#33
Thanks, guys, for your fast reply. My Electrum wallet only opens on the USB Drive in Linux. So I will try to download the Linux upgrade directly on the USB drive and transfer the file to the Electrum wallet. Hope I understand this correctly?  Undecided
I think you need to be clear there is a difference between the Electrum wallet software which you are downloading from the website and is used to show you the GUI and to create new wallets, and your Electrum wallet file which is specific to you and holds your private keys and therefore your coins. It is still not clear to me whether your USB drive holds only your Electrum wallet files, or the entire Electrum directory including your wallet files and the software itself - can you open the Electrum software on your airgapped device without the USB drive connected?

Either way, as I said above, you should not connect that USB drive to an internet enabled device, as that defeats the purpose of having a cold wallet.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
July 20, 2022, 06:58:09 PM
#32
Thanks, guys, for your fast reply. My Electrum wallet only opens on the USB Drive in Linux. So I will try to download the Linux upgrade directly on the USB drive and transfer the file to the Electrum wallet. Hope I understand this correctly?  Undecided

If I were you, I'd copy the wallet files onto the off-line computer, then format the USB drive before you plug it into an on-line computer.  Once plugged into the online computer you can download and verify the electrum appimage file, and save it on the USB drive.  Now you can transfer the new version to the off-line machine to manage your wallets.

I imagine you have an off-line computer so that you never have to subject your cold wallet to the internet.  If so, even plugging in a USB stick containing a cold wallet into an on-line PC is not recommended, and easily avoided.
newbie
Activity: 8
Merit: 0
July 20, 2022, 05:26:52 PM
#31
Thanks, guys, for your fast reply. My Electrum wallet only opens on the USB Drive in Linux. So I will try to download the Linux upgrade directly on the USB drive and transfer the file to the Electrum wallet. Hope I understand this correctly?  Undecided
legendary
Activity: 2268
Merit: 18771
July 20, 2022, 02:45:52 PM
#30
My Electrum wallet is installed on a USB drive, and I access it on an airgapped computer (going on hard drive only, it is Linux, in essence, right?).
If Electrum is installed on your airgapped computer, then you will need to download and verify the latest version of Electrum on an internet connected computer and then transfer this file over to your airgapped computer to be installed. I would use a completely clean USB drive to do this.

I have the cold and hot wallet version on the USB drive. So technically, can I download the upgrade directly on to the USB drive when connecting to the Internet? Many Thanks, in advance!
I don't understand what you mean by "cold and hot wallet version on the USB drive". There is only one latest version of Electrum. Whether it is cold or hot depends on if the device you are running it on is permanently airgapped or not. If that USB drive also contains your wallet file, you should never be connecting it to a computer with an internet connection if you want it to be a cold wallet.
newbie
Activity: 8
Merit: 0
July 20, 2022, 12:28:14 PM
#29
"You say your cold wallet is "on the Linux USB drive" - can you elaborate? Do you have an entire OS and Electrum running live from this USB drive? Or do you have Linux and Electrum installed on an airgapped computer and it is simply the wallet file which is stored on the USB drive?"

My Electrum wallet is installed on a USB drive, and I access it on an airgapped computer (going on hard drive only, it is Linux, in essence, right?).
I have the cold and hot wallet version on the USB drive. So technically, can I download the upgrade directly on to the USB drive when connecting to the Internet? Many Thanks, in advance!
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
July 16, 2022, 02:15:04 PM
#28
Hi, Can anyone help explain how to upgrade a cold storage Electrum wallet on the Linux USB drive?
It has not been used since 2017. I have the seed phrase, pass code, etc. It opens, but I cannot send it to the exchange.

Many Thanks, in advance!

Do you mean you have a live USB drive with Electrum installed on it?  You don't really need to do that, you can just download the latest appimage and use that instead since it doesn't need to be installed.

Before you can sign a transaction on the offline machine, you'll need to create it in a watch-only wallet first.  If you don't have a watch only wallet, you can create one by exporting the master public key from the offline wallet.
legendary
Activity: 2268
Merit: 18771
July 16, 2022, 02:14:41 PM
#27
Since version 4.0.1, Electrum has replaced their old transaction format with PSBTs, so you will need both your watch only wallet and your cold wallet to be at least this version or you will find they are incompatible and your cold wallet will not sign the transaction.

You say your cold wallet is "on the Linux USB drive" - can you elaborate? Do you have an entire OS and Electrum running live from this USB drive? Or do you have Linux and Electrum installed on an airgapped computer and it is simply the wallet file which is stored on the USB drive?
newbie
Activity: 8
Merit: 0
July 16, 2022, 02:05:25 PM
#26
Hi, Can anyone help explain how to upgrade a cold storage Electrum wallet on the Linux USB drive?
It has not been used since 2017. I have the seed phrase, pass code, etc. It opens, but I cannot send it to the exchange.

Many Thanks, in advance!
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
June 28, 2022, 10:04:49 PM
#25
-snip-
Edited 2;

How do I include non-alphanumeric chars in an password in the following command:
Code:
./run_electrum create -W "MyDummyPass!#$%word321" --seed_type="segwit" --encrypt_file="MyDummyPass!#$%word321"

But the prompt simply removes some of those non-alphanumeric chars and acts like if the command is not complete and I get the "new line" no finish the command with the '>' symbol, you know?
If I remove the non-alphanumeric chars, the command runs correctly.
Password should be set with --password="password"
-w will set the value as the new wallet's name and path, if not set, it will be named "default_wallet".
encrypt_file=true/false prompts to encrypt the wallet file with the password (default - true) or just the master private key (false).
"passphrase" works the same as 'BIP39 passphrase' if you want to extend the seed phrase.

Here's an example create command:
Code:
run_electrum create -w "new_wallet" --seed_type=segwit --password="abc123!@#$%^&*()" --offline
Here's an example restore command to make an "imported wallet":
Code:
run_electrum restore -w "new_wallet" "p2wpkh:WIF_Private_Key1 p2wpkh-p2sh:WIF_Private_Key2" --password="abc123!@#$%^&*()" --offline
Prepend the address' script type depending on the address that you need to import (only three types are currently available):
  • p2wpkh: Native SegWit (bech32)
  • p2wpkh-p2sh: Nested SegWit
  • p2pkh: Legacy (default)
hero member
Activity: 1274
Merit: 681
I rather die on my feet than to live on my knees
June 28, 2022, 01:58:24 PM
#24
I just tried to download the sources, install dependencies but it still complains about not having pyQt5 installed. Is this impossible?
The source should run with commands without launching the GUI and the GUI's requirements.
You just have to add parameters or commands to "run_electrum" and it should not try to open the GUI.

e.g.:
Code:
run_electrum -w="WALLET'S_PATH" signmessage "tb1qxxxxxxxxxxxxxxxxxxxxxxxaswa08ff" "MessageMessage" --offline
It will return with the signature.

For more options, use 'help': run_electrum -h

Hi.

I just got home and I tried the help command. It worked. However I was looking for the command to create a new wallet but I couldn't find any. The closest thing I could find is the "make_seed". Will this create a new wallet? I'm just asking out of curiosity because the goal is to import a private key and then sign messages with that impoted address/private key!

And also, another question. I see there is a deamon and a gui options. The deamon is for what? To be able to provide some kind of RPC server for other applications to be able to access Electrum commands?


Edited;
Hum, I'm just experimenting and apparently, to create a new wallet, we just run something like:

Code:
./run_electrum create --offline

Then we are provided with the seed key that we should securely save and the default path to the default wallet!
And alsso seems that I need to have a daemon running before start running commands.

Edited 2;

How do I include non-alphanumeric chars in an password in the following command:
Code:
./run_electrum create -W "MyDummyPass!#$%word321" --seed_type="segwit" --encrypt_file="MyDummyPass!#$%word321"

But the prompt simply removes some of those non-alphanumeric chars and acts like if the command is not complete and I get the "new line" no finish the command with the '>' symbol, you know?
If I remove the non-alphanumeric chars, the command runs correctly.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
June 27, 2022, 09:09:43 PM
#23
I just tried to download the sources, install dependencies but it still complains about not having pyQt5 installed. Is this impossible?
The source should run with commands without launching the GUI and the GUI's requirements.
You just have to add parameters or commands to "run_electrum" and it should not try to open the GUI.

e.g.:
Code:
run_electrum -w="WALLET'S_PATH" signmessage "tb1qxxxxxxxxxxxxxxxxxxxxxxxaswa08ff" "MessageMessage" --offline
It will return with the signature.

For more options, use 'help': run_electrum -h
hero member
Activity: 1274
Merit: 681
I rather die on my feet than to live on my knees
June 27, 2022, 04:22:26 PM
#22
Hello,

I'm not a very frequent user of Electrum Wallet or any other wallet other than the ones in Bitcoin Core and Core Lightning but I need a wallet to sign messages using bech32 addresses which I think Bitcoin Core doesn't support. But the PC where I want to install Electrum doesn't have a desktop installed. Only the command line.

Is it possible to install and run Electrum wallet in a no gui environment by running the software only through the command line?
I just tried to download the sources, install dependencies but it still complains about not having pyQt5 installed. Is this impossible?
legendary
Activity: 2268
Merit: 18771
June 22, 2022, 01:15:20 AM
#21
Yeah, I've had to do this in a pinch.  I was at work and needed a nested segwit address for some reason, so I made a temporary wallet with my Electrum seed phrase.  All I had to do was lie to the software and pretend the seed was a bip39, and it let me do what I wanted.  Pretty easy tweak, but for obvious reasons I don't recommend it.
Ahh sure, that's one way of doing it. In that case you aren't using your Electrum seed phrase as an Electrum seed phrase at all (with the Electrum specific salt), but rather as a (most likely) invalid BIP39 seed phrase (with the BIP39 specific salt). I was thinking of using an Electrum seed phrase as an Electrum seed phrase, but forcing Electrum to ignore the incorrect version number and derive at a custom derivation path, which would require tinkering in the source code rather than just selecting the BIP39 option in the restore menu.

Either way, not recommended, and I'll stop before I go any further off topic.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
June 21, 2022, 11:16:07 AM
#20

Lol, too true.


At least however Bisq have clear documentation as to which derivation paths they use (https://bisq.wiki/Backing_up_your_wallet_seed#Wallet_derivation_paths) as opposed to many other wallets which just leave their users guessing.

Bisq is an absolutely awesome service.  Obviously not as powerful of a "wallet" as Electrum, but that's not the point of the system.  It's by FAR my favorite p2p exchange, and one of the reasons is the great documentation and service community.


As nc50lc says, the derivation path specifies the derivation of the private key. What the client does with that private key then is completely free and open. Most wallets will stick to the BIP44/49/84 standard for legacy/nested/native, but many do not. Any private key can be used to derive any address type (or even multiple address types. It is entirely possible to use the same seed phrase to create both a legacy and a segwit wallet at the same derivation path, if you wanted.)

This is an interesting subject;  I've used the same seed phrase to generate multiple types of wallets, Electrum makes it pretty easy with a Bip39 phrase.  Most hardware wallets allow users to create legacy, nested, and native wallets/accounts, and so far all the ones I've used stick the standard of 44=legacy, 49=nested segwit, 84=native segwit. 

Up until I attempted to import a Bisq seed into Electrum I was under the impression that the address types were hard-coded to the derivation "purpose."  But no, it's not.  I've conducted the below experiment before to make sure I wasn't insane.  As it turns out I'm only crazy; the test below uses a bip39 seed, and with the settings as shown it creates a native segwit wallet:

legendary
Activity: 2268
Merit: 18771
June 21, 2022, 03:03:05 AM
#19
This has always been an issue with programmers working around other peoples code since forever, not just with BTC.
https://xkcd.com/927/

Don't forget Bisq's m/44'/0'/1' for segwit addresses.
Yeah, another good example of a non-standard derivation path which Electrum's "Detect existing accounts" button would not pick up. At least however Bisq have clear documentation as to which derivation paths they use (https://bisq.wiki/Backing_up_your_wallet_seed#Wallet_derivation_paths) as opposed to many other wallets which just leave their users guessing.

I don't know how they were able to accomplish that, but that's how it goes.
As nc50lc says, the derivation path specifies the derivation of the private key. What the client does with that private key then is completely free and open. Most wallets will stick to the BIP44/49/84 standard for legacy/nested/native, but many do not. Any private key can be used to derive any address type (or even multiple address types. It is entirely possible to use the same seed phrase to create both a legacy and a segwit wallet at the same derivation path, if you wanted.)
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
June 20, 2022, 11:58:23 PM
#18
Don't forget Bisq's m/44'/0'/1' for segwit addresses.  Yeah, for segwit!  I don't know how they were able to accomplish that, but that's how it goes.
The derivation path is just telling the client to "derive the child key of this path", thus it will derive a private and public key pair down to the 'address index',
then the client just derive the SegWit address from that particular public key, regardless of the purpose field.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
June 20, 2022, 03:28:58 PM
#17
I don't think so. In the 13 years since Bitcoin's launch, we already have many commonly used derivation paths and scripts. The three commonly used BIP44/49/84s, now BIP86 for taproot, Core's m/0'/0', and a bunch of other unique paths for certain wallets, such as Samourai's m/84'/0'/2147483645'.

Don't forget Bisq's m/44'/0'/1' for segwit addresses.  Yeah, for segwit!  I don't know how they were able to accomplish that, but that's how it goes.  I had learned about this some time ago when I wanted to restore an old seed in Electrum, then I had re-learn it this past weekend when I helped a buddy get set up with Bisq.

Way too much shit to remember, and even though I do like Bip39 seeds for various reasons, things like that make it clear why Electrums seed generation method is superior.


There really is no end to how different poorly coded wallets can confuse their users and hide their funds behind unknown derivation paths. While it is obviously very good of the Electrum devs to try to address this and help out their users, I can't help but feel it is highly unfair asking them to clean up the mess that other wallets have created. Undecided

I agree, although this problem could be solved if someone contribute to add list of non-default path on various wallet. It could be either simple textbox (only showing pair of wallet and it's non-default path) or option (default path, enter manually, path of wallet A, etc.).

A better graphical interface pertaining to derivation paths and multiple accounts would solve a lot of problems for newbies.  They did a good job with the interface differentiating between "Legacy" and "Segwit" wallets, but not accounts within.  I don't see hardware wallet manufacturers moving away from derivation paths for multiple accounts anytime soon, so I would be nice to see Electrum find a decent way to allow users to see those options during setup of a new wallet.


And it's all good until with them trying to clean up other peoples poor programming or documentation they break something or introduce a vulnerability.
This has always been an issue with programmers working around other peoples code since forever, not just with BTC.
Same with the keepkey issue. How much time & effort did they spend cleaning up someone else's mess.

Lol, I know, right?  The only "coding" experience I've had in the last 25 years is writing post processors for CAM programs to pump out ISO-6983 g-code in a format that the machinists are used to, but it's so common that you fix one thing only to have another break.  I can only imagine what a nightmare that can be for a program as complex as a bitcoin wallet.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
June 20, 2022, 10:53:19 AM
#16
There really is no end to how different poorly coded wallets can confuse their users and hide their funds behind unknown derivation paths. While it is obviously very good of the Electrum devs to try to address this and help out their users, I can't help but feel it is highly unfair asking them to clean up the mess that other wallets have created. Undecided

And it's all good until with them trying to clean up other peoples poor programming or documentation they break something or introduce a vulnerability.
This has always been an issue with programmers working around other peoples code since forever, not just with BTC.
Same with the keepkey issue. How much time & effort did they spend cleaning up someone else's mess.

-Dave
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
June 20, 2022, 07:24:53 AM
#15
I've just found on Twitter some interesting/intriguing announcement.

Electrum 4.2.2 fixes a vulnerability that can be exploited on some Windows+SMB configurations. Please upgrade if you have not done so already.

From what it was written in here the importance of the update was not so much obvious. Now it is. So, especially the Windows users, please update asap (myself included).

Good catch.  Interesting that the release notes don't mention anything about that issue.

Based on commit message, looks like they forget to mention it when they release 4.2.2. It's added on newer commit.

There really is no end to how different poorly coded wallets can confuse their users and hide their funds behind unknown derivation paths. While it is obviously very good of the Electrum devs to try to address this and help out their users, I can't help but feel it is highly unfair asking them to clean up the mess that other wallets have created. Undecided

I agree, although this problem could be solved if someone contribute to add list of non-default path on various wallet. It could be either simple textbox (only showing pair of wallet and it's non-default path) or option (default path, enter manually, path of wallet A, etc.).
legendary
Activity: 2268
Merit: 18771
June 11, 2022, 01:51:23 AM
#14
Fortunately, that problem will be at least 30 years away, since it takes on average 3 years (using 1 datapoint and extrapolating by 10 more - so not accurate by any means, but just to get the feeling of time length) for Bitcoin developers to come up with another type of script that will take another witness version.
I don't think so. In the 13 years since Bitcoin's launch, we already have many commonly used derivation paths and scripts. The three commonly used BIP44/49/84s, now BIP86 for taproot, Core's m/0'/0', and a bunch of other unique paths for certain wallets, such as Samourai's m/84'/0'/2147483645'. Given that the problem described here was a legacy wallet sending its change to segwit change addresses, we could see the same problem in the near future with a legacy or segwit wallet sending its change to taproot change addresses (which Electrum does not support or therefore scan for at all yet).

There really is no end to how different poorly coded wallets can confuse their users and hide their funds behind unknown derivation paths. While it is obviously very good of the Electrum devs to try to address this and help out their users, I can't help but feel it is highly unfair asking them to clean up the mess that other wallets have created. Undecided
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
June 09, 2022, 11:24:06 AM
#13
I wonder if we'll see this type of problem become more common as we introduce more different address types beyond taproot.

Bech32 specification mention valid witness version is 0 to 16, so i bet we'll see another problem.

Fortunately, that problem will be at least 30 years away, since it takes on average 3 years (using 1 datapoint and extrapolating by 10 more - so not accurate by any means, but just to get the feeling of time length) for Bitcoin developers to come up with another type of script that will take another witness version.

So we'll have plenty of time to address that problem when it eventually crops up. At least we don't have to worry about it at this time.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
June 09, 2022, 09:38:08 AM
#12
Electrum 4.2.2 fixes a vulnerability that can be exploited on some Windows+SMB configurations. Please upgrade if you have not done so already.

So it's an offline brute-force attack against the user's Windows account password.
I don't know, but even after obtaining the Windows password, how will the hacker be able to steal the coins?
Or is he talking about the wallet password.

I think the attack vector was somewhat trivial, not something that is necessarily practical for a hacker to use as a way to steal your coins.  Regardless, a responsible development team that learns of a potential attack vector of any kind resulting from using their program knows that isn't cool.  So when the Electrum dev team learned about this potential attack vector they addressed it.  Just more evidence of what a great group of folks we've got working on Electrum.
legendary
Activity: 2702
Merit: 4002
June 09, 2022, 09:02:17 AM
#11
Electrum 4.2.2 fixes a vulnerability that can be exploited on some Windows+SMB configurations. Please upgrade if you have not done so already.


So it's an offline brute-force attack against the user's Windows account password.
I don't know, but even after obtaining the Windows password, how will the hacker be able to steal the coins?
Or is he talking about the wallet password.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
June 09, 2022, 08:29:48 AM
#10
I've just found on Twitter some interesting/intriguing announcement.

Electrum 4.2.2 fixes a vulnerability that can be exploited on some Windows+SMB configurations. Please upgrade if you have not done so already.

From what it was written in here the importance of the update was not so much obvious. Now it is. So, especially the Windows users, please update asap (myself included).

Good catch.  Interesting that the release notes don't mention anything about that issue.  It looks like this attack vector could be used to brute force the Windows password of a user who opens a pay request using a QR code.  It's specific to Windows machines only, and only if you use QR codes to import pay requests.  It appears that versions between 2.1 and 4.2.2 have this vulnerability.  Here're the details I found on Github:

Description
Impact
In BIP70 payment requests, Electrum allows the ?r= field to contain file:// URIs (besides http(s)).
The ?r= field can contain an arbitrary file URI, chosen by an attacker.

A malicious merchant can provide a BIP70 payment request in the form of a QR code or text, which the victim user would then scan or copy-paste, as part of the payment flow. Electrum would then see the file URI, and try to open the file in read mode and read it. If the read succeeds, the data is parsed using protobuf.

Specifically regarding the QR code vector, note that Electrum starts the BIP70 flow as soon as a QR code is scanned, without giving a chance to the user to review the content of the decoded QR code.

The file URI support was originally added for local dev testing, with the implicit assumption that it is safe to open files on the local filesystem in read-only mode. This assumption is incorrect.

On Linux/macOS, e.g. trying to read /dev/zero results in a DOS attack, where the application would run out-of-memory and get killed.

On Windows, paths can be crafted that correspond to network requests, for example initiating an SMB connection. In particular, it seems that it might be possible for an attacker located in the same "trusted" Local Area Network as the victim, after getting the victim to scan a malicious QR code, to have the victim's computer initiate a same-LAN SMB connection to the attacker's computer, and to capture an authentication token. That authentication token could later be used to initiate an offline brute-force attack against the user's Windows account password.

Patches
We have removed the file URI support in commit b247aa5ffef0f9ef000772fcf9cd9c7141abded8.
Electrum version 4.2.2 contains the fix.

Credits
We thank the Unciphered team, and specifically Frank Davidson <[email protected]> for responsibly disclosing this issue to us.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
June 09, 2022, 01:59:29 AM
#9
I've just found on Twitter some interesting/intriguing announcement.

Electrum 4.2.2 fixes a vulnerability that can be exploited on some Windows+SMB configurations. Please upgrade if you have not done so already.

From what it was written in here the importance of the update was not so much obvious. Now it is. So, especially the Windows users, please update asap (myself included).
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
May 30, 2022, 11:11:53 AM
#8
I saw on their github page they had only one firmware update this year... they probably broke something in April.

I think they broke something long before that.  When I first bought the wallet there was a desktop app provided by KeepKey.  I used it with Electrum from the get-go because the native app only supported legacy addresses.  At some point KeepKey merged with ShapeShift and they ported the desktop app into a google chrome extension, but the standalone app was still available.  Shortly after that a firmware update broke the ability to pair the device with the desktop app, unless it was started with admin privileges.  The same applied to pairing with Electrum.  To fix that issue, they stopped supporting the desktop app.  Undecided

It seems obvious that KeepKey doesn't really care about this.  They would just as soon have all KeepKey owners limited to using ShapeShift to manage their accounts.


I would not buy KeepKey wallet and I don't recommend it

That makes two of us.  Wink


I don't know if this issue was only with Electrum or KeepKey worked with other software wallets like Specter Desktop or Sparrow Wallet.

I don't use either of those wallets so I haven't tried.  When Core 22 was released with hardware support I was able to pair my Nano S, but the KeepKey was problematic.  I assume it was the same issue that prevented it from pairing with Electrum.  I don't expect Specter would behave any differently, since it's mainly just an alternative gui for Core.  Sparrow is also is just a gui wrapper around Electrum, so again I doubt it would behave differently with the KeepKey.
legendary
Activity: 2212
Merit: 7064
May 30, 2022, 10:27:18 AM
#7
Electrum just released a new version, 4.2.2.  One of the "issues" they fixed wasn't actually an issue with Electrum, but rather an issue with a the crappy KeepKey hardware wallet.
Thanks for posting this update, and I see there are few Lightning Network improvements as well.
Keepkey is probably not keeping up with Trezor code after they branched out, and I saw on their github page they had only one firmware update this year... they probably broke something in April.
I would not buy KeepKey wallet and I don't recommend it, but this is good news  for people that already won them, like in your case.
I don't know if this issue was only with Electrum or KeepKey worked with other software wallets like Specter Desktop or Sparrow Wallet.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
May 29, 2022, 06:39:56 AM
#6
I wonder if we'll see this type of problem become more common as we introduce more different address types beyond taproot.

Bech32 specification mention valid witness version is 0 to 16, so i bet we'll see another problem.
legendary
Activity: 2268
Merit: 18771
May 29, 2022, 03:34:59 AM
#5
I wasn't trying to minimize the other upgrades, only to highlight how the team proactively supports the community as a whole by going out of their way to support a problematic and not-very-popular hardware wallet.
The same applies to the issue I raised that nc50lc linked to above. As we know, Electrum does not even generate BIP39 seed phrases, but still supports them. And within an hour of me opening the issue about the user who was having trouble recovering from his BRD wallet, SomberNight had already made the necessary changes to the code to resolve the issue and make recovering these types of wallets easier. So again, going out of his way to support a problematic wallet.

I wonder if we'll see this type of problem become more common as we introduce more different address types beyond taproot.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
May 28, 2022, 11:37:53 PM
#4
# Release 4.2.2 - (May 27, 2022)
 * fix "Automated BIP39 recovery" not scanning change paths (#7804)
So they immediately fixed this after o-e-l-e-o submitted the issue in GitHub.
Gotta take note of that version in case some newbie experience the same issue like this one: https://bitcointalksearch.org/topic/m.60068150
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
May 28, 2022, 02:00:08 PM
#3
~

Oh, absolutely!  I wasn't trying to minimize the other upgrades, only to highlight how the team proactively supports the community as a whole by going out of their way to support a problematic and not-very-popular hardware wallet.  It wasn't something they had to do, so I'm feeling quite a lot of love right now.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
May 28, 2022, 01:54:56 PM
#2
* fix AppImage failing to run on certain systems (#7784)
 * bypass network proxy for localhost electrum server (#3126)


^^ I find these already important enough for a minor release; and the improvements to LN also matter.
I think that's not only about KeepKey Wink
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
May 28, 2022, 01:41:37 PM
#1
Electrum just released a new version, 4.2.2.  One of the "issues" they fixed wasn't actually an issue with Electrum, but rather an issue with a the crappy KeepKey hardware wallet.

# Release 4.2.2 - (May 27, 2022)
 * Lightning:
   - watching onchain outputs: significant perf. improvements (#7781)
   - enforce relative order of some msgs during chan reestablishment,
     lack of which can lead to unwanted force-closures (#7830)
   - fix: in case of a force-close containing incoming HTLCs, we were
     redeeming all HTLCs that we know the preimage for. This might
     publish the preimage of an incomplete MPP. (1a5ef554, e74e9d8e)
 * Hardware wallets:
   - smarter pairing during sign_transaction (238619f1)
   - keepkey: fix pairing with device using a workaround (#7779)
 * fix AppImage failing to run on certain systems (#7784)
 * fix "Automated BIP39 recovery" not scanning change paths (#7804)
 * bypass network proxy for localhost electrum server (#3126)

As you can see from the release notes above (emphasis mine,) the pairing issue with KeepKey has been fixed "using a workaround."  How do I know the issue is with the hardware wallet, and not Electrum?  The same pairing problem is endemic with the KeepKey and any desktop client I've tried.  The same problem with pairing is present with KeepKey's own bootloader and firmware update client.  The issue started after a firmware update roughly 2 years ago (IIRC,) and until now KeepKey has been unable to resolve their issue.  In order to pair a KeepKey with desktop clients one would have to run the application with administrator privileges.

I just tried the new version with one of my KeepKey HW wallets, and it pairs up smooth as silk.  Kudos to the Electrum team for stepping up and taking care of their supporters.
Jump to: