lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 06 Oct 2014 18:29:05 -0700
From: Mick Ayzenberg <>
Subject: [FD] CVE-2014-6251 : Stack Overflow in CPUMiner When Submitting
 Upstream Work

Vulnerability title: Stack Overflow in CPUMiner When Submitting Upstream
CVE: CVE-2014-6251
Affected version: CPUMiner before 2.4.1
Reported by: Mick Ayzenberg of Deja vu Security


A malicious pool or an attacker who is in the middle of a valid
stratum connection can respond to a 'mining.subscribe' and instruct a
miner to use a large nonce2 length.

The attacker can then instruct the miner to generate blocks with a
standard 'mining.notify' request. Once the miner has discovered a
valid block it will attempt to copy this large nonce into a fixed size
character array and overflow into stack memory.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists