Claymore Dual GPU Miner 10.5 - Format String



EKU-ID: 7336 CVE: 2018-6317 OSVDB-ID:
Author: res1n Published: 2018-02-06 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing a denial of service.
 
After reading about the recent vulnerabilities with previous versions, I thought I should take another look at the json listener on port 3333 and see if there was any avenues of attack.
 
echo -e '{"id":1,"jsonrpc":"1.0","method":"test"}' | nc 192.168.1.107 3333 & printf "\n"
 
After realizing the buffer was printed I decided to try a few others…
 
Sending %s does return some strings, however I couldn’t get the hex addresses padded properly to dig in more as I kept getting unable to parse json errors. Sending %p also did yield some results but I’m sure someone more qualified may be able to exploit the stack further…
 
Finally, sending %n completely kills the mining process.
 
echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 192.168.1.139 3333 & printf "\n"
 
Keep your rigs up to date, or stop opening port 3333 to the public. Seriously.
 
Timeline
01/26/18 — Reported
 
01/26/18 —Confirmed and immediately patched. 10.6 released request for 3–4 day embargo
 
01/31/18 — Public Disclosure