NutzBoot Information Disclosure Vulnerability in Ethereum Wallet Handler

A vulnerability allowing information disclosure has been identified in NutzBoot versions through 2.6.0-SNAPSHOT. The issue arises in the Ethereum Wallet Handler component, specifically within the EthModule.java file. The vulnerability allows for the leakage of wallet passwords by exposing the web3jCredentials map as JSON via the /web3j/local/accounts endpoint. This endpoint lacks authentication, enabling remote attackers to access plaintext passwords for all configured Ethereum accounts.

Impact

Exploitation of this vulnerability allows for the unauthorized retrieval of Ethereum wallet passwords, which could lead to the theft of funds or unauthorized transactions using the victim's wallet.

Reproduction

To reproduce this vulnerability, deploy the NutzBoot application with the Web3j demo module. Ensure that at least one Ethereum account is configured with a password. Then, send a GET request to the /web3j/local/accounts endpoint without any authentication. The response will include the plaintext password and address for each configured account.

Remediation

It is recommended to remove sensitive information such as passwords from API responses. Implement authentication and authorization for the /web3j/local/accounts endpoint, and disable it in production environments. Additionally, store wallet passphrases in a secure vault instead of in configuration files.