Claymore Dual GPU Miner 10.5 Format String

Credit: res1n
Risk: High
Local: Yes
Remote: No
CWE: CWE-134

Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability ======================================================================= product: Claymore's Dual Miner vulnerable version: <= 10.5 fixed version: 10.6 CVE number: - CVE-2018a6317 impact: critical homepage: found: 2018-01-26 by: ======================================================================= Vulnerability overview/description: ----------------------------------- Claymoreas Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an unauthenticated remote attacker to read memory addresses, or immediately terminate the mining process causing a denial of service. 1) By sending a custom request to the json api on port 3333 of the remote management service it's possible to leak stack addresses and possibly rewrite stack addresses with %p. I wasn't able to break out of the json padding but someone else may be able to as %s also dumps string contents. example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%x %x %x %x"}' | nc 3333 & printf "\n". 2) Sending %n to the json api on port 3333 immediately kills the mining process. example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 3333 & printf "\n". Solution ------------------------ Upgrade to version 10.6 Vendor contact timeline: ------------------------ 01/26/18aaaReported to dev 01/26/18 a Confirmed and immediately patched. 10.6 released request for 3a4 day embargo 01/31/18aaaPublic Disclosure Writeup -


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top