Pages:
Author

Topic: KnC Miner : Security hacked - UPDATE with TOOL admin remove plz - page 7. (Read 25848 times)

member
Activity: 70
Merit: 10
Mod note: This is probably an elaborate scam to trick you into downloading malware https://bitcointalksearch.org/topic/m.4807591 You should still not expose miners to public internet though

EDIT: SEE PAGE 5 FOR MY PROVE OF CONCEPT APPLICATION
Hi all,

So, what else to do in my spare time while mining some BTC? Exploiting security holes in my hardware.
It turns out that every KnC miner can be hacked within 5-10 minutes, making it possible to control the CGMiner remotely.

I've submitted a higly detailed report to KNC, explaining how i did it, and how they can patch it with a new firmware upgrade.
To avoid a huge breach, i will not reveal all details, but i give you a short summary [proof of concept].

1: Scan the internet, using a special tool, for the default KnC Miner header response
Code:
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="f76e06a34c00b5fec1da6749d4ed0bfc", qop="auth"

EVERY miner uses this header, so in 10 seconds, i found about 1180 responses vulnerable to my attack.

2: Cricial information remains hidden for public, but the http digest can be bypassed with ease.

3: Run basic HTTP bruteforce. Since the digest is bypassed, i can run unlimited bruteforce attempts.
Within a timespan of 20 minutes, i managed to bruteforce 28 miners !! (Most of them poor passwords tough)

Now comes the fun part...

Login using SSH. If the SSH port is not enabled, simply login to the web console and enable it.

The source code of
Code:
factory_config_reset.sh
tells us exactly what we need.

VI (edit) the default factory files, as found in the factory reset code, making a second login inside the factory reset files.

The digest file requires you a special hash to create the password. This can be done using special tools, but for safety reasons, i will not go further on this part in public.

Alter these files to gain access after factory reset

Code:
/etc/shadow.factory
Code:
/etc/lighttpd.htdigest.user

Now remove all the default credentials in the factory files, making it impossible to login using the default admin:admin for the owner

RUN THE FACTORY RESET...

And enjoy your personal miner, that just became unusable to the owner, since he can no longer login.

Disclaimer:

I intend to do no harm. No miner has ever been in my control, or ever will be. I just expose this threat to put pressure on KnC to hurry their firmware upgrade.
Do not ask or PM me for information about this hack, it will not be provided !! Only KNC has the entire manual !


Note to all KnC miners out there: Please change your passwords to long, safe password!
If needed, simply hashing your firstname to MD5 will do the trick to scare away hackers.

PLEASE USE A ROUTER INSTEAD OF DIRECT INTERNET ACCESS !!!


Greetings!!

EDIT: Email to KnC

Quote
Hello KnC team,

As you might picked up on bitcointalk.org, i managed to successfully scan and exploit KnC Miner configuration software running on all your miners.
Attachted is my HowTo, showing you how i managed to succeed in this hack.

I feel, as a software developer and penetration tester, that you do not take user security in account with your services.
The only thing you care about, is selling hardware. What happens with it, seems to be the least of your concerns.

You should now that the user is always the weakest security, but instead of anticipating on that, you go with that flow.

I did not post exactly how i did it on the forum for security reasons, but however, i urge you to push a new firmware closing up those holes.
Holidays or not, i will expose the detailed howto on bitcointalk.org on January 1st 2014 at 12h00.

Once this exploit go public, you will receive a lot of complaints and behalf of your clients, and loose lots of trust in the general public.
If you have not patched your firmware, this will confirm my statement that you do not carry about user security.

I can only imagine all blogs picking up that posts just before Neptune delivery...

I just created a custom firmware patching all the security flaws, it took me about one hour.
So surely, your developers can do the trick also.

For the sake of the general public, who have put their trust and funds in you, please patch up your firmware!!

EDIT: SEE PAGE 5 FOR MY PROVE OF CONCEPT APPLICATION


Pages:
Jump to: