[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability
From: disclosure@xxxxxxxxx
Date: Fri, 02 Feb 2018 11:35:43 -0500


Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability
=======================================================================

            product: Claymore's Dual Miner
 vulnerable version: <= 10.5
      fixed version: 10.6
         CVE number: - CVE-2018–6317
             impact: critical
           homepage: https://bitcointalk.org/index.php?topic=1433925.0
              found: 2018-01-26
                 by: twitter.com/res1n

=======================================================================


Vulnerability overview/description:
-----------------------------------

Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a formatstrings vulnerability. This allows an unauthenticated remote attacker toread memory addresses, or immediately terminate the mining processcausing a denial of service.

1) By sending a custom request to the json api on port 3333 of theremote management service it's possible to leak stack addresses andpossibly rewrite stack addresses with %p. I wasn't able to break out ofthe json padding but someone else may be able to as %s also dumps stringcontents.

example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%x %x %x %x"}' | nc192.168.1.139 3333 & printf "\n".

2) Sending %n to the json api on port 3333 immediately kills the miningprocess.

example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc192.168.1.139 3333 & printf "\n".


Solution
------------------------
Upgrade to version 10.6


Vendor contact timeline:
------------------------
01/26/18 — Reported to dev

01/26/18 — Confirmed and immediately patched. 10.6 released request for3–4 day embargo

01/31/18 — Public Disclosure

Writeup -https://medium.com/secjuice/claymore-dual-gpu-miner-10-5-format-strings-vulnerability-916ab3d2db30


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Recon Montreal 2018 Call For Papers - 0xE - Registration - Training - Conference - Submit! - PGP key
Next by Date: [FD] CFP: EuroSec 2018, 11th European Workshop on Systems Security (Extended Deadline: February 9, 2018)
Previous by thread: [FD] Recon Montreal 2018 Call For Papers - 0xE - Registration - Training - Conference - Submit! - PGP key
Next by thread: [FD] CFP: EuroSec 2018, 11th European Workshop on Systems Security (Extended Deadline: February 9, 2018)
Index(es):
- Date
- Thread