Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2014-6251 : Stack Overflow in CPUMiner When Submitting Upstream Work

From: Mick Ayzenberg <mick () dejavusecurity com>
Date: Mon, 06 Oct 2014 18:29:05 -0700
Vulnerability title: Stack Overflow in CPUMiner When Submitting Upstream
Work
CVE: CVE-2014-6251
Affected version: CPUMiner before 2.4.1
Reported by: Mick Ayzenberg of Deja vu Security

Details:

A malicious pool or an attacker who is in the middle of a valid
stratum connection can respond to a 'mining.subscribe' and instruct a
miner to use a large nonce2 length.

The attacker can then instruct the miner to generate blocks with a
standard 'mining.notify' request. Once the miner has discovered a
valid block it will attempt to copy this large nonce into a fixed size
character array and overflow into stack memory.

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: