Bitcoin Forum
June 29, 2024, 08:46:21 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Alternate cryptocurrencies / Mining (Altcoins) / Hacking ASIC Innosilicon Miner on: February 19, 2018, 08:22:18 PM
Ulnerability in ASIC Miners Innosilicon allows you to bypass the administrator password check and change the pool settings.
Attack is done through the web panel. By default, you need to go to the /html/generalsetup.html page to configure the pool, if you were not previously authorized, you will be automatically transferred to the /html/login.html login page.
When examining the pool settings page /html/generalsetup.html, the following code was found:
Code:
var islogin = getcookie('login');
    if(!islogin){
        window.location.href='login.html';
    }

This javascript code checks the presence of the 'login' cookie in the user's browser, if the cookie is not present, then redirects to the Login page.
By adding the cookie name = 'login' value = 'true' manually, you can bypass the administrator password check and change the pool settings.
This vulnerability exists on all versions of Innosilicon ASIC firmware with this interface:


To search for ASIC, it is possible to use censys.io with the query 'Miner Console'


Please donate:
BTC 1DJKmpCVGqyDZ2XgjQxKJgVa7V1JrJ3qAj
LTC LgAJKkXT8GHSdwbb3qVWkaWfJbgLxetfqH
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!