Bitcoin Forum
May 22, 2019, 08:00:16 AM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Hacking ASIC Innosilicon Miner  (Read 163 times)
bbritva
Newbie
*
Offline Offline

Activity: 1
Merit: 1


View Profile
February 19, 2018, 08:22:18 PM
Merited by vapourminer (1)
 #1

Ulnerability in ASIC Miners Innosilicon allows you to bypass the administrator password check and change the pool settings.
Attack is done through the web panel. By default, you need to go to the /html/generalsetup.html page to configure the pool, if you were not previously authorized, you will be automatically transferred to the /html/login.html login page.
When examining the pool settings page /html/generalsetup.html, the following code was found:
Code:
var islogin = getcookie('login');
    if(!islogin){
        window.location.href='login.html';
    }

This javascript code checks the presence of the 'login' cookie in the user's browser, if the cookie is not present, then redirects to the Login page.
By adding the cookie name = 'login' value = 'true' manually, you can bypass the administrator password check and change the pool settings.
This vulnerability exists on all versions of Innosilicon ASIC firmware with this interface:
http://ipic.su/img/img7/fs/asic.1519071360.jpg

To search for ASIC, it is possible to use censys.io with the query 'Miner Console'
http://ipic.su/img/img7/fs/minerconsole.1519071271.jpg

Please donate:
BTC 1DJKmpCVGqyDZ2XgjQxKJgVa7V1JrJ3qAj
LTC LgAJKkXT8GHSdwbb3qVWkaWfJbgLxetfqH
1558512016
Hero Member
*
Offline Offline

Posts: 1558512016

View Profile Personal Message (Offline)

Ignore
1558512016
Reply with quote  #2

1558512016
Report to moderator
1558512016
Hero Member
*
Offline Offline

Posts: 1558512016

View Profile Personal Message (Offline)

Ignore
1558512016
Reply with quote  #2

1558512016
Report to moderator
1558512016
Hero Member
*
Offline Offline

Posts: 1558512016

View Profile Personal Message (Offline)

Ignore
1558512016
Reply with quote  #2

1558512016
Report to moderator
The Man Behind
Pokémon
&
Yu-Gi-Oh
brands
Collect!
Trade!
Play!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1558512016
Hero Member
*
Offline Offline

Posts: 1558512016

View Profile Personal Message (Offline)

Ignore
1558512016
Reply with quote  #2

1558512016
Report to moderator
ccgllc
Copper Member
Member
**
Offline Offline

Activity: 476
Merit: 87

Math doesn't care what you believe.


View Profile WWW
February 20, 2018, 07:18:32 PM
 #2

Good info.

Bitmain Antminers are just as bad, with the API userid/password & port hardcoded into the firmware.

It is why you NEVER want to run an Antminer (or apparently an Innosilicon) directly connected to the Internet.  It will be hacked and mining for others within minutes.

Mined for a living since 2017.  Primary developer of Bitcoin Rebooted (https://www.bitcoin-rebooted.xyz)
Blokforge Affiliate:  https://blokforge.com/?ref=21
Linux admin since 0.96 kernel and Slackware distributions on (4) floppies...
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!