Disclosure of crash due to malicious BIP72 URI (≤ version 0.19.2)

Bitcoin Core writes:
Disclosure of crash due to malicious BIP72 URI (≤ version 0.19.2)

Bitcoin-Qt could crash upon opening a BIP72 URI.

This issue is considered Medium severity.

Details

BIP72 extends the BIP21 URI scheme
with an r parameter to fetch a payment request from. An attacker could simply point the URL
contained in the r parameter to a very large file, for which Bitcoin-Qt would try to allocate
enough memory and crash.

The victim could get tricked into opening a rogue payment request. The large download would happen
in the background with little to no output in the GUI until the application runs out of memory.

Attribution

Credits go to Michael Ford (Fanquake) for responsibly disclosing the issue and providing a PoC.

Timeline

  • 2019-08-12 Michael Ford reports the bug to Cory Fields and Wladimir Van Der Laan
  • 2019-10-16 Michael Ford opens PR #17165 to get rid of BIP70 support entirely
  • 2019-10-26 Michael’s PR is merged into Bitcoin Core
  • 2020-06-03 Bitcoin Core version 0.20.0 is released
  • 2021-09-13 The last vulnerable Bitcoin Core version (0.19.0) goes EOL
  • 2024-07-03 Public disclosure