lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 02 Feb 2018 11:35:43 -0500
Subject: [FD] Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability

Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability

             product: Claymore's Dual Miner
  vulnerable version: <= 10.5
       fixed version: 10.6
          CVE number: - CVE-2018–6317
              impact: critical
               found: 2018-01-26


Vulnerability overview/description:
Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format 
strings vulnerability. This allows an unauthenticated remote attacker to 
read memory addresses, or immediately terminate the mining process 
causing a denial of service.

1) By sending a custom request to the json api on port 3333 of the 
remote management service it's possible to leak stack addresses and 
possibly rewrite stack addresses with %p.  I wasn't able to break out of 
the json padding but someone else may be able to as %s also dumps string 

example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%x %x %x %x"}' | nc 3333 & printf "\n".

2) Sending %n to the json api on port 3333 immediately kills the mining 

example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 3333 & printf "\n".

Upgrade to version 10.6

Vendor contact timeline:
01/26/18 — Reported to dev
01/26/18 — Confirmed and immediately patched. 10.6 released request for 
3–4 day embargo
01/31/18 — Public Disclosure

Writeup -

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists