Shortly after publishing my article on Skycoin hardware wallet issues, I discovered that the Skycoin developers had missed two important patches for old upstream firmware vulnerabilities in the Trezor that were still present in their code, so I reported that problem as well.

Particularly the buffer overflow vulnerability could have a serious security impact depending on firmware compilation settings, but there are indications that this is not the case for the Skycoin firmware.

Receive Buffer Overflow Vulnerability

This issue is described in depth via the original disclosure article and technical section.

For Skycoin, the vulnerable function is located here.
Sanitizer backtrace:

==31052==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006f9740 [...]
WRITE of size 63 at 0x0000006f9740 thread T0
    #0 0x520849 in __asan_memcpy
    #1 0x5de756 in msg_read_common /hardware-wallettiny-firmware/firmware/messages.c:222:9
    #2 0x620f8f in usbPoll /hardware-wallettiny-firmware/fuzzer/fuzzer.c:209:7
    #3 0x550db9 in skycoin_main /hardware-wallettiny-firmware/firmware/main.c:97:9

0x0000006f9740 is located 0 bytes to the right of global variable
'msg_in' defined in 'firmware/messages.c' (0x6f6740) of size 12288

Stack Overflow in BIP39 Recovery Procedure

This issue is also described in depth via a separate article and technical section .

In this case, the problematic code is located here.

Coordinated Disclosure

Reporting the issues has been fairly quick and straightforward. Since encrypted communication with the vendor was already established and upstream patches for the problems were available, the disclosure process was finished in less than a month and with little overhead.

Relevant Product

variant source fix references
Skycoin hardware-wallet Github patches, firmware revision unclear ?

Detailed Timeline

Date info
2020-08-14 Disclosure to Skycoin
2020-08-30 Skycoin acknowledges disclosure email
2020-09-03 Public Github pull request with patches
2020-09-07 Github main branch patched

A Note About the Research

I want to emphasize that this research was done on my own time and initiative. In particular, it was not incentivized by SatoshiLabs, for whom I do some paid security research on the upstream project.

Bug Bounty

Skycoin provided a bug bounty for these issues.