I accidentally discovered a potential vulnerability in YouTube during a late night debugging session on a MP4 muxer. This is a story how a simple bug in my own code made me rethink the security implications of a video transcoding pipeline.
Exposing the bitcoind rpc has always been a bad idea, but let’s make it worse! We discovered that the usage of bitcoind’s getnewaddress and dumpwallet can be abused to gain remote code execution, essentially elevating our limited access from bitcoind to a full complete “SSH” shell allowing us to execute arbitrary commands.