lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <9f9fdc3feb4474da3019763ee59e2788@sysadm.io> Date: Fri, 02 Feb 2018 11:35:43 -0500 From: disclosure@...adm.io To: fulldisclosure@...lists.org Subject: [FD] Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability ======================================================================= product: Claymore's Dual Miner vulnerable version: <= 10.5 fixed version: 10.6 CVE number: - CVE-2018–6317 impact: critical homepage: https://bitcointalk.org/index.php?topic=1433925.0 found: 2018-01-26 by: twitter.com/res1n ======================================================================= Vulnerability overview/description: ----------------------------------- Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an unauthenticated remote attacker to read memory addresses, or immediately terminate the mining process causing a denial of service. 1) By sending a custom request to the json api on port 3333 of the remote management service it's possible to leak stack addresses and possibly rewrite stack addresses with %p. I wasn't able to break out of the json padding but someone else may be able to as %s also dumps string contents. example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%x %x %x %x"}' | nc 192.168.1.139 3333 & printf "\n". 2) Sending %n to the json api on port 3333 immediately kills the mining process. example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 192.168.1.139 3333 & printf "\n". Solution ------------------------ Upgrade to version 10.6 Vendor contact timeline: ------------------------ 01/26/18 — Reported to dev 01/26/18 — Confirmed and immediately patched. 10.6 released request for 3–4 day embargo 01/31/18 — Public Disclosure Writeup - https://medium.com/secjuice/claymore-dual-gpu-miner-10-5-format-strings-vulnerability-916ab3d2db30 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists