Chia Blockchain RPC Authentication Bypass Vulnerability in Master Passphrase Handler

An authentication bypass vulnerability has been identified in the Chia Blockchain RPC server version 2.1.0. The issue arises in the Master Passphrase Handler, specifically within the 'send_transaction' and 'get_private_key' functions. This vulnerability allows local processes to bypass authentication and access sensitive operations, such as transferring funds and extracting private keys, including the 24-word seed, without requiring the Master Passphrase. The vulnerability is exacerbated by Cross-Site Request Forgery (CSRF) risks, as the RPC server lacks proper origin validation and CORS headers, enabling remote attacks that can manipulate wallet transactions.

Impact

Exploitation of this vulnerability could lead to unauthorized transactions being executed on behalf of the user, draining funds from the wallet. Additionally, the vulnerability allows for the extraction of private keys and the 24-word recovery seed, compromising the user's entire Chia account and wallet security.

Reproduction

To reproduce this vulnerability, first ensure that the Chia Blockchain RPC server is running version 2.1.0 without any RPC credentials set in the configuration. This default setting allows authentication to be bypassed. Once the server is running, a local process can access the 'get_private_key' function via the RPC interface, using the appropriate mTLS certificates to authenticate the request. The response will include the private key and the 24-word seed, demonstrating the successful exploitation of the vulnerability. Similarly, the 'send_transaction' function can be called to execute transactions without the required passphrase, bypassing the wallet's security measures.