# Hijacking the Miner: How NiceHashMiner’s Auto-Update Pipeline Enables Zero-Click RCE

**Author:** Rhyugen | July 2025
**Tags:** #Cybersecurity #ReverseEngineering #SupplyChain #VulnerabilityResearch #CVE

---

### 💡 TL;DR

NiceHashMiner’s update system fetches unsigned binaries over plaintext HTTP. This allowed me to deliver **arbitrary payloads via DNS poisoning or MITM**, resulting in **zero-click Remote Code Execution (RCE)**. No hash checks. No TLS. No user interaction. Just execution.

Welcome to 2025’s flavor of a supply chain disaster waiting to happen.

---

## ⚔️ Discovery Context

While auditing update mechanisms of crypto mining tools, I looked into [NiceHashMiner (QuickMiner)](https://github.com/nicehash/NiceHashQuickMiner). These apps auto-update — often silently — which makes them juicy targets for supply chain compromise.

During a basic network analysis, I discovered that:

- `NiceHashMiner` downloads critical binaries from **http://update.nicehash.com**
- There’s **no HTTPS**, **no certificate pinning**
- No digital signature or hash validation on executables

---

## 🔥 The Vulnerability

Let me break it down:

1. `update.json` fetched over HTTP tells the miner where to download the `.exe` from.
2. That `.exe` is also pulled over HTTP.
3. No hashes or signature checks.
4. The binary is executed automatically upon download.

That’s it. You control the update path = you control the machine.

---

## 🧪 PoC: Update Hijack

**Setup:**

1. Modify `/etc/hosts` to point `update.nicehash.com` to a local IP (e.g. 127.0.0.1)
2. Host a malicious update server:
```bash
cd ~/malicious_server/
python3 -m http.server 80