Vulnerability Details : CVE-2017-16929
The remote management interface on the Claymore Dual GPU miner 10.1 is vulnerable to an authenticated directory traversal vulnerability exploited by issuing a specially crafted request, allowing a remote attacker to read/write arbitrary files. This can be exploited via ../ sequences in the pathname to miner_file or miner_getfile.
Vulnerability category: OverflowDirectory traversal
Products affected by CVE-2017-16929
- cpe:2.3:a:claymore_dual_miner_project:claymore_dual_miner:10.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-16929
1.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-16929
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.5
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:N |
8.0
|
9.2
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
NIST |
CWE ids for CVE-2017-16929
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-16929
-
https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-16929
pub/pocs/cve-2017-16929 at master · tintinweb/pub · GitHubThird Party Advisory
-
https://www.exploit-db.com/exploits/43231/
Claymore Dual ETH + DCR/SC/LBC/PASC GPU Miner - Stack Buffer Overflow / Path TraversalExploit;Third Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2017/12/04/3
oss-security - CVE-2017-16930 - Claymore's Dual Ethereum Miner unauth stack buffer overflow in remote management interfaceMailing List
Jump to