cbcvebase.
CVE-2017-16929
published 2017-12-05

CVE-2017-16929: The remote management interface on the Claymore Dual GPU miner 10.1 is vulnerable to an authenticated directory traversal vulnerability exploited by issuing a…

PriorityP180high8.1CVSS 3.0
AVNACLPRLUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.89%
95.8th percentile
The remote management interface on the Claymore Dual GPU miner 10.1 is vulnerable to an authenticated directory traversal vulnerability exploited by issuing a specially crafted request, allowing a remote attacker to read/write arbitrary files. This can be exploited via ../ sequences in the pathname to miner_file or miner_getfile.

Affected

1 ranges
VendorProductVersion rangeFixed in
claymore_dual_miner_projectclaymore_dual_miner

Detection & IOCsextracted from sources · hover to see the quote

port3333
command{"id":0,"jsonrpc":"2.0","method":"miner_getfile","params":["../../../../../../../etc/passwd"]}
command{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["../../../../../../../etc/passwd",""]}
filenameEthDcrMiner64.exe
processEthDcrMiner64.exe
  • Monitor TCP port 3333 for JSON-RPC requests containing '../' sequences in the 'params' field of 'miner_file' or 'miner_getfile' methods, indicating path traversal exploitation attempts.
  • Detect JSON-RPC messages on port 3333 with oversized fields (e.g., 'method', 'psw', or extra fields exceeding ~145000 bytes) which trigger a stack buffer overflow crash in the Claymore miner remote management interface.
  • Alert on JSON-RPC 'miner_file' write requests (params with two elements where the second is a file content string) to detect arbitrary file write attempts via the remote management interface.
  • The buffer overflow is exploitable even in read-only/password-protected mode via the 'extrafield' or 'psw' overflow vectors; a sudden connection reset (RST) from the miner process on port 3333 after sending a large JSON payload is a strong indicator of exploitation.
  • Hunt for the process 'EthDcrMiner64.exe' listening on TCP port 3333 as the vulnerable remote management endpoint for Claymore Dual GPU Miner v10.1.
  • ·The remote management port (default 3333) can be changed via the '-mport' argument; negative values (e.g., -mport -3333) enable read-only mode, but the buffer overflow vectors ('extrafield', 'psw') are still exploitable in read-only and password-protected modes.
  • ·The path traversal vulnerability ('miner_file', 'miner_getfile') requires authentication if a password is configured on the miner's remote management interface.
  • ·Shodan searches for exposed Claymore miner management interfaces (e.g., 'product:eth') can be used to enumerate internet-facing vulnerable instances on port 3333.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.08.5HIGHAV:N/AC:L/Au:S/C:C/I:C/A:N
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.