Claymore Dual GPU Miner 10.5 Format String

Claymore Dual GPU Miner versions 10.5 and below suffer from format string vulnerabilities.

MD5 | fdbaa03bf96433f880d5f0591306d178

Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability

product: Claymore's Dual Miner
vulnerable version: <= 10.5
fixed version: 10.6
CVE number: - CVE-2018a6317
impact: critical
found: 2018-01-26


Vulnerability overview/description:
Claymoreas Dual GPU Miner 10.5 and below is vulnerable to a format
strings vulnerability. This allows an unauthenticated remote attacker to
read memory addresses, or immediately terminate the mining process
causing a denial of service.

1) By sending a custom request to the json api on port 3333 of the
remote management service it's possible to leak stack addresses and
possibly rewrite stack addresses with %p. I wasn't able to break out of
the json padding but someone else may be able to as %s also dumps string

example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%x %x %x %x"}' | nc 3333 & printf "\n".

2) Sending %n to the json api on port 3333 immediately kills the mining

example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 3333 & printf "\n".

Upgrade to version 10.6

Vendor contact timeline:
01/26/18aaaReported to dev
01/26/18 a Confirmed and immediately patched. 10.6 released request for
3a4 day embargo
01/31/18aaaPublic Disclosure

Writeup -

Related Posts