CVE-2017-16929
published 2017-12-05CVE-2017-16929: The remote management interface on the Claymore Dual GPU miner 10.1 is vulnerable to an authenticated directory traversal vulnerability exploited by issuing a…
PriorityP180high8.1CVSS 3.0
AVNACLPRLUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.89%
95.8th percentile
The remote management interface on the Claymore Dual GPU miner 10.1 is vulnerable to an authenticated directory traversal vulnerability exploited by issuing a specially crafted request, allowing a remote attacker to read/write arbitrary files. This can be exploited via ../ sequences in the pathname to miner_file or miner_getfile.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| claymore_dual_miner_project | claymore_dual_miner | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"id":0,"jsonrpc":"2.0","method":"miner_getfile","params":["../../../../../../../etc/passwd"]}↗
command{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["../../../../../../../etc/passwd",""]}↗
- →Monitor TCP port 3333 for JSON-RPC requests containing '../' sequences in the 'params' field of 'miner_file' or 'miner_getfile' methods, indicating path traversal exploitation attempts. ↗
- →Detect JSON-RPC messages on port 3333 with oversized fields (e.g., 'method', 'psw', or extra fields exceeding ~145000 bytes) which trigger a stack buffer overflow crash in the Claymore miner remote management interface. ↗
- →Alert on JSON-RPC 'miner_file' write requests (params with two elements where the second is a file content string) to detect arbitrary file write attempts via the remote management interface. ↗
- →The buffer overflow is exploitable even in read-only/password-protected mode via the 'extrafield' or 'psw' overflow vectors; a sudden connection reset (RST) from the miner process on port 3333 after sending a large JSON payload is a strong indicator of exploitation. ↗
- →Hunt for the process 'EthDcrMiner64.exe' listening on TCP port 3333 as the vulnerable remote management endpoint for Claymore Dual GPU Miner v10.1. ↗
- ·The remote management port (default 3333) can be changed via the '-mport' argument; negative values (e.g., -mport -3333) enable read-only mode, but the buffer overflow vectors ('extrafield', 'psw') are still exploitable in read-only and password-protected modes. ↗
- ·The path traversal vulnerability ('miner_file', 'miner_getfile') requires authentication if a password is configured on the miner's remote management interface. ↗
- ·Shodan searches for exposed Claymore miner management interfaces (e.g., 'product:eth') can be used to enumerate internet-facing vulnerable instances on port 3333. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.08.5HIGHAV:N/AC:L/Au:S/C:C/I:C/A:N
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-47pp-3c28-cj5x: The remote management interface on the Claymore Dual GPU miner 10
ghsa_unreviewed·2022-05-17
CVE-2017-16929 [HIGH] CWE-119 GHSA-47pp-3c28-cj5x: The remote management interface on the Claymore Dual GPU miner 10
The remote management interface on the Claymore Dual GPU miner 10.1 is vulnerable to an authenticated directory traversal vulnerability exploited by issuing a specially crafted request, allowing a remote attacker to read/write arbitrary files. This can be exploited via ../ sequences in the pathname to miner_file or miner_getfile.
VulnCheck
claymore_dual_miner_project claymore_dual_miner Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2017·CVSS 8.1
CVE-2017-16929 [HIGH] claymore_dual_miner_project claymore_dual_miner Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
claymore_dual_miner_project claymore_dual_miner Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The remote management interface on the Claymore Dual GPU miner 10.1 is vulnerable to an authenticated directory traversal vulnerability exploited by issuing a specially crafted request, allowing a remote attacker to read/write arbitrary files. This can be exploited via ../ sequences in the pathname to miner_file or miner_getfile.
Affected: claymore_dual_miner_project claymore_dual_miner
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet
No detection rules found.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2017/12/04/3https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-16929https://www.exploit-db.com/exploits/43231/http://www.openwall.com/lists/oss-security/2017/12/04/3https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-16929https://www.exploit-db.com/exploits/43231/
2017-12-05
Published
Exploited in the wild