Topic: KnC Miner : Security hacked - UPDATE with TOOL admin remove plz - page 2. (Read 25842 times)

Feel free to decompile it, and PM me the results.
We'll compare the source with your results then ;-)

I lol'ed...
Your exe is actually an sfx rar containing,among others, two other exe : your AutoIt protection(?) and your .net exe that can be fully decompiled with dotpeek or ILSpy !
For a pentesting expert, you could have done a better job !

Good luck, the tool will not display any results when the detection module is shut down, or when running in VMware environments.

If you doubt my credibility, feel free, but once again, stop spamming my topic because you can't read it blocks in virtual environments to prevent abuse.

The security build in can not be bypassed.

I've played a little bit more with your tool...
I managed to remove your AutoIt exe from my XP vm, easily bypass it when lauching your tool and finally run your tool.

So now i'm waiting actual miner opinion but you've lost all credibility !

Yes i can explain. This will not even run in VM.

AutoIT creates a local file for monitoring against network sniffers / other suspicious files running at the same time.
When detected, it kills the application.

As long as your Antivirus/malware scanner/firewall does not go bezerk, no need to worry ;-)

EDIT: XP ?? You need .NET framework 4 to run it...

Ok, just a quick analysis... And I have a few question...

Can you explain why you need to create an hidden directory in the user profile dir ? (named "raklr")
Can you explain what the files in this directory are made for ?
Can you explain why do you need to autostart fg0ezkfEkds5.exe ?

The tool didn't even started in my XP vm !

My quick conclusion : this is VERY sispicious...

I finished compiling my "Proof of Concept" application to allow you to test out the exploits on you OWN miners.

Just run the "minerProof.exe" file. It will scan your network, revealing all your devices into your LAN.
Each device will get it's own node in the treelist. When expanding your device, it will show you all information, included all known exploits about it!

Once you get your miner (Knc will show up as server lighttpd), expand the list to "firmware". It will list the executed exploit result.

After finding all devices, the software will scan your network to idendify if your are remotely vulnerable or not.
It will also give you solutions if a security risk has been found on your network.

This application has been tested with Knc jupiter, AntMiner's, cgminer and bfgminer, running on Windows 8.1 x64.

Application restrictions: ONLY your OWN subnet can be scanned ! When network sniffing is detected, the application will auto shut down!

Antivirus results: Scanned with MetaScan, file is clean 39/40 antivirus scanners. I have one false positive out of 40 with a minor AV vendor.
The file is CLEAN !! If 39 of the biggest AV vendors show it's clean, it IS clean!

Note: The false positive is triggered by the sub that detects network sniffing and shuts the application down.

AV scan result: https://www.metascan-online.com/en/scanresult/file/d79999b0cbd74e978fc4dfee6d3bc0ef

If you don't trust the files, than simply don't download or run them.

If you find an exploit on your system, then please patch up using the solutions provided, and post your exploit in this topic to prove the concept of it!!

File download URL: https://mega.co.nz/#!FNIlSL5Q!5SVBuSNrXkT5ckXmdK7Fews0-avozcE8QcL4_acjHss | minerProofOfConcept.zip | 1.1Mb

If you have problems using the tool, please write me a PM, but dont spam this topic with questions about it.


JUST TO BE CLEAR

Decompiling the executable, or the DLL file will NOT give you what you are looking for.
These are only to run the network scan.

AutoIT is used to execute the actual exploit, and detect modifications, scanners, sniffers, decompilers, and virtual boxes.

If ANY of these is detected, the application will shut down, and the REAL injection script is terminated, destroyed and melted.

USE THIS TOOL FOR WHAT IS HAS BEEN DESIGNED FOR!!

This tool is a PROOF OF CONCEPT about build-in exploits in most miner hardware rigs.

If you feel the need to run it sandboxed, virtual, or with an active scanner/sniffer/decompiler/debugger, than your intentions are NOT to test your enviroment, thus the file gets destroyed.

I received a ton load of PM's about security issues, and this is the best solution to prevent idiots trying to hack someone else's miners.

At most, i can compile everything into some DLL files. That way you make the executable file yourself, and just call my API.

I doubt steve trusts me with it, but if he wants someone to vet his exploit, I would do it. In fact, I already have a good idea of how exactly he did it, but I don't have a Jupiter/Mercury/Saturn/Neptune to try it on.

Well, KnC DID upgrade their firmware, so i guess that proves enough to me.
I'm sorry, i can not post more "proof" on a public forum. Unlike others, i do care about general security.

And yes, you are wrong about the scanning part.
And no, i did not find a 0day. It's already known, exploited and documented long before my post.

But then, once again, feel free to skip this thread.
I'm not posting this to have flamewars about who is right and who is wrong.
This behaviour is mostly the reason why i don't make any more efforts to patch up the new exploit.

I tought i could help the community, but this forum just seems to be a bunch of bashing kids.
Every topic someone posts, the entire forum screams "fake", "scammer", etc. Why is this?

Read for exemple the KnC intro topic. Same there. All fake and scam. Then why are you all still here....

So you found a 0day in lighttpd mod_auth ? I don't think so...
I can be wrong but considering your posts in this thread (password bruteforce, nobody user, your miner directly connected to WAN, etc..), until you post something that can prove what you are saying, I can't take you seriously !

Again, I can be wrong but the only shared thing i can think of is cgminer. It doesn't open port for listening so again, i can't take you seriously...


I'm sorry but, to my eyes, you're are no longer credible...

I think you need to stop blaming for for getting 5 Th/s hacked, and me, while driving, looking at my 4" cellphone screen trough SSH who was logged in at that exact moment, and in between that, posting details here on the forum...

So yes, i mistaked the nodoby user at that time.

Way to get sucked into this.. steve15 may have done some good but this is the same guy telling everyone a "nobody" user was a sign the system was hacked.. Point being even the most basic security concepts were beyond him even though he is a claimed professional pen tester.

I initially gave credit as well but while his core point was quite valid and he did stumble onto a weakness in the system the demonstrated lack of understanding behind some key fundamentals puts many of the unsubstantiated claims to question given he stated over and over again he is a professional pen tester.

Now you are using unverified statement after unverified statement as a set of facts and jumping to conclusions which are completely unsubstantiated..

Now that's pretty badass from KnC. Lame money hogs...

There is one strong argument a customer always has: let your wallet speak out loud! Every company understands this well. Unfortunately it's only effective if used in some form of customer's consensus, which is apparently the weak point. Being consequent is quite hard, especially when the market and competition are small.

Thank you sir!

KnC used my custom firmware and released it as their own a couple of days after submitting my work to them.
I dont need credit or so, but at least a 'thank you' would show some respect.

But the bitter truth is that most company's only care about your money.

zmap, masscan, or any other scanner just scans ports. I have a homemade tool that scans the entire net for "some" responses, that expose every miner online (knc, Ant, BFL, ....) in about 4 hour

Since i made this post, no single ShodanHQ found miner is vulnerable since then. Job well done i guess!
But then, Shodan is not a great tool or scanner. It just finds miners "by accident", not intentioned. It only has about 140 results, i get over 8000 results...


XSS has little to do with the latest exploit. I just stated that their new firmware is vulnerable to XSS exploits.


I agree. But that is KnC's default configuration, so as for many many many online miners


The 'fix' has been submitted to KnC together with my detailed report. I even wrote an entire new firmware for them. They took it, modified it for some reason, and published it online.
Because they modified it, it now has a critical exploit, spilling out the username + pwd without loggin in first.

So, i patched up their FW, gave a temporary fix by posting this (shows in the Shodan results, before post = 84 exploitable, now 0), and my PoC is far more than just a PoC
It will also scan your entire network, hooked up to the Metasploit DB for showing your network weak spots.

And, if you dont like closed source, then don't download it. It's not about my safety, but the safety of an entire community.

Anyone who puts a mining machine on their WAN instead of their LAN will be hacked. Simple as.

Posting the fix won't help much as this will reveal most of the vital details to be abused as an exploit.

The true shame is the completely unprofessional behavior of KnC. steve15 did invest some work, he uses Jupiters for own mining. Even if someone else emailed details to KnC earlier than him, KnC should respond in a way more professional way than they did. They should take the opportunity to speak with steve15 and use his work and details for some well invested refund and exchange for knowledge that KnC apparently lacks or doesn't care about.

I don't own KnC hardware but if I were to own a single piece I would constantly shout and scream at KnC. So many companies care a shit on security and their customers, expose them in a way which is unbelievable and KnC is just one of them. How lame is this!

OK, the customer too has a responsibility, sure. Mining isn't child's play, you should exactly know what you are doing and how you setup your gear. Seems like greed makes miners sooo blinded.


@KnC: Act more responsible and professional, your customers deserve it!

People debugging your code will probably happen.
If the file itself its well encrypted and cant be debugged probably you can still sniff the network traffic and see how its working.

Also I dont like this closed source, you know it all or tipping attempt thing, so here it is what I have found based on your posts only, to everyone not just KnC.

You said to scan the internet using some kind of tool, later an user posted some data from shodanq(with shodanq you can easily find those subnet addresses with dozens of miners), you said it was a bad tool, so your probably speaking about zmap or masscan (scan the internet in 1 hour).

About the digest bypass, im not sure but you gave some clues like XSS, so probably some new file (check new commits at github) is vulnerable to something like this

The cgminer vulnerability its not a vulnerability since there is no security to break, port 4028 open in router+api-listen+api-allow=dumbest thing, since everyone can easily monitor your miners or even change pools with switchpool().


Said this, sorry admin for the content of the reply, what I really want to talk about is how to fix it/patch it.

Instead of posting a PoC why dont you post a fix, temporary fix, patch or whatever, way more usefull and no one will call you a scammer

I had this issue on my mind already. I have only one option to prevent this from happening;

I obfuscate my code, and crypt the executable, making the code non reversible, undebugable, thus preventing to 'trick' it and use it for evil purposes.

But here's the bit but part:

When crypting an executable, 4/35 virusscanners will give me a false positive because of certain things, specific the Cgminer DLL and the encrypted source.
Yes, most of us know that cgminer itself is considered a 'trojan', using bitdefender. (just download it and try yourself  )

But i can not put a file for download that gives false positive AV alert out here, the entire forum will scream and shout that i'm a scammer or so.
Even if it is only 4/35 virusscanners giving false positives.

So, can i make my code so closed that abusing it becomes impossible?

Yes, but at the risk of being blamed and shamed as a scammer for putting a (possible) false positive AV scan file up.

So do i prefer to be named a scammer, or do i prefer to prevent massive scale abuse of the systems?

Maybe, i'll just put it up as-is, warning about the false positives, and hope people trust me.
On the other hand, i think the chances of someone debugging, or reverse engineering my application, are way smaller than someone calling me a scammer.

So, we'll see !