KnC Miner : Security hacked - UPDATE with TOOL admin remove plz

[steve15]

Mod note: This is probably an elaborate scam to trick you into downloading malware https://bitcointalk.org/index.php?topic=392166.msg4807591#msg4807591 You should still not expose miners to public internet though

EDIT: SEE PAGE 5 FOR MY PROVE OF CONCEPT APPLICATION
Hi all,

So, what else to do in my spare time while mining some BTC? Exploiting security holes in my hardware.
It turns out that every KnC miner can be hacked within 5-10 minutes, making it possible to control the CGMiner remotely.

I've submitted a higly detailed report to KNC, explaining how i did it, and how they can patch it with a new firmware upgrade.
To avoid a huge breach, i will not reveal all details, but i give you a short summary [proof of concept].

1: Scan the internet, using a special tool, for the default KnC Miner header response

Code:

WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="f76e06a34c00b5fec1da6749d4ed0bfc", qop="auth"

EVERY miner uses this header, so in 10 seconds, i found about 1180 responses vulnerable to my attack.

2: Cricial information remains hidden for public, but the http digest can be bypassed with ease.

3: Run basic HTTP bruteforce. Since the digest is bypassed, i can run unlimited bruteforce attempts.
Within a timespan of 20 minutes, i managed to bruteforce 28 miners !! (Most of them poor passwords tough)

Now comes the fun part...

Login using SSH. If the SSH port is not enabled, simply login to the web console and enable it.

The source code of

Code:

factory_config_reset.sh

tells us exactly what we need.

VI (edit) the default factory files, as found in the factory reset code, making a second login inside the factory reset files.

The digest file requires you a special hash to create the password. This can be done using special tools, but for safety reasons, i will not go further on this part in public.

Alter these files to gain access after factory reset

Code:

/etc/shadow.factory

Code:

/etc/lighttpd.htdigest.user

Now remove all the default credentials in the factory files, making it impossible to login using the default admin:admin for the owner

RUN THE FACTORY RESET...

And enjoy your personal miner, that just became unusable to the owner, since he can no longer login.

Disclaimer:

I intend to do no harm. No miner has ever been in my control, or ever will be. I just expose this threat to put pressure on KnC to hurry their firmware upgrade.
Do not ask or PM me for information about this hack, it will not be provided !! Only KNC has the entire manual !


Note to all KnC miners out there: Please change your passwords to long, safe password!
If needed, simply hashing your firstname to MD5 will do the trick to scare away hackers.

PLEASE USE A ROUTER INSTEAD OF DIRECT INTERNET ACCESS !!!


Greetings!!

EDIT: Email to KnC

Hello KnC team,

As you might picked up on bitcointalk.org, i managed to successfully scan and exploit KnC Miner configuration software running on all your miners.
Attachted is my HowTo, showing you how i managed to succeed in this hack.

I feel, as a software developer and penetration tester, that you do not take user security in account with your services.
The only thing you care about, is selling hardware. What happens with it, seems to be the least of your concerns.

You should now that the user is always the weakest security, but instead of anticipating on that, you go with that flow.

I did not post exactly how i did it on the forum for security reasons, but however, i urge you to push a new firmware closing up those holes.
Holidays or not, i will expose the detailed howto on bitcointalk.org on January 1st 2014 at 12h00.

Once this exploit go public, you will receive a lot of complaints and behalf of your clients, and loose lots of trust in the general public.
If you have not patched your firmware, this will confirm my statement that you do not carry about user security.

I can only imagine all blogs picking up that posts just before Neptune delivery...

I just created a custom firmware patching all the security flaws, it took me about one hour.
So surely, your developers can do the trick also.

For the sake of the general public, who have put their trust and funds in you, please patch up your firmware!!

EDIT: SEE PAGE 5 FOR MY PROVE OF CONCEPT APPLICATION

[ArpFlush]

I don't have a KNC but thank you for the info. Other miners maybe vulnerable too and a really good password is a must. I'm not a network expert but hiding your miner hardware behind a router is a great idea IMHO. So thanks 

[kano]

... API ...

[1l1l11ll1l]

And everyone thought this was HashFast, well played OP!

http://eligius.st/~wizkid057/newstats/userstats.php/1Nbq2XZaRsKknf5fcT2wTXvBS31PaUWSeX

[Soros Shorts]

PLEASE USE A ROUTER INSTEAD OF DIRECT INTERNET ACCESS !!!

It also goes without saying that you should not use port forwarding direct to the miner (for remote access) when using a router. I have heard of some people doing this. Best to use some kind of intermediate jump box that can be locked down more securely than the beagle bone.

[vpasic]

And everyone thought this was HashFast, well played OP!

http://eligius.st/~wizkid057/newstats/userstats.php/1Nbq2XZaRsKknf5fcT2wTXvBS31PaUWSeX

LMFAO!!!

[traiz]

Hi all,

So, what else to do in my spare time while mining some BTC? Exploiting security holes in my hardware.
It turns out that every KnC miner can be hacked within 5-10 minutes, making it possible to control the CGMiner remotely.

I've submitted a higly detailed report to KNC, explaining how i did it, and how they can patch it with a new firmware upgrade.
To avoid a huge breach, i will not reveal all details, but i give you a short summary [proof of concept].

1: Scan the internet, using a special tool, for the default KnC Miner header response

Code:

WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="f76e06a34c00b5fec1da6749d4ed0bfc", qop="auth"

EVERY miner uses this header, so in 10 seconds, i found about 1180 responses vulnerable to my attack.

2: Cricial information remains hidden for public, but the http digest can be bypassed with ease.

3: Run basic HTTP bruteforce. Since the digest is bypassed, i can run unlimited bruteforce attempts.
Within a timespan of 20 minutes, i managed to bruteforce 28 miners !! (Most of them poor passwords tough)

Now comes the fun part...

Login using SSH. If the SSH port is not enabled, simply login to the web console and enable it.

The source code of

Code:

factory_config_reset.sh

tells us exactly what we need.

VI (edit) the default factory files, as found in the factory reset code, making a second login inside the factory reset files.

The digest file requires you a special hash to create the password. This can be done using special tools, but for safety reasons, i will not go further on this part in public.

Alter these files to gain access after factory reset

Code:

/etc/shadow.factory

Code:

/etc/lighttpd.htdigest.user

Now remove all the default credentials in the factory files, making it impossible to login using the default admin:admin for the owner

RUN THE FACTORY RESET...

And enjoy your personal miner, that just became unusable to the owner, since he can no longer login.

Disclaimer:

I intend to do no harm. No miner has ever been in my control, or ever will be. I just expose this threat to put pressure on KnC to hurry their firmware upgrade.
Do not ask or PM me for information about this hack, it will not be provided !! Only KNC has the entire manual !


Note to all KnC miners out there: Please change your passwords to long, safe password!
If needed, simply hashing your firstname to MD5 will do the trick to scare away hackers.

PLEASE USE A ROUTER INSTEAD OF DIRECT INTERNET ACCESS !!!


Greetings!!

EDIT: Email to KnC

Hello KnC team,

As you might picked up on bitcointalk.org, i managed to successfully scan and exploit KnC Miner configuration software running on all your miners.
Attachted is my HowTo, showing you how i managed to succeed in this hack.

I feel, as a software developer and penetration tester, that you do not take user security in account with your services.
The only thing you care about, is selling hardware. What happens with it, seems to be the least of your concerns.

You should now that the user is always the weakest security, but instead of anticipating on that, you go with that flow.

I did not post exactly how i did it on the forum for security reasons, but however, i urge you to push a new firmware closing up those holes.
Holidays or not, i will expose the detailed howto on bitcointalk.org on January 1st 2014 at 12h00.

Once this exploit go public, you will receive a lot of complaints and behalf of your clients, and loose lots of trust in the general public.
If you have not patched your firmware, this will confirm my statement that you do not carry about user security.

I can only imagine all blogs picking up that posts just before Neptune delivery...

I just created a custom firmware patching all the security flaws, it took me about one hour.
So surely, your developers can do the trick also.

For the sake of the general public, who have put their trust and funds in you, please patch up your firmware!!

Aren't the details already public?
Correct me if I'm wrong, but aren't you in effect trying to create a custom rom like bertmod?
The hash information is already out there...

[steve15]

No, the details are not public yet.
There is a significant difference in making a custom rom, and explaining how you can gain access to thousands of remote miners out there.

Custom ROM is intented to use on your own hardware.

My hack is intented to remotely control another miner, making it useless to the owner, since he can no longer login.

[traiz]

No, the details are not public yet.
There is a significant difference in making a custom rom, and explaining how you can gain access to thousands of remote miners out there.

Custom ROM is intented to use on your own hardware.

My hack is intented to remotely control another miner, making it useless to the owner, since he can no longer login.

Ok.
But just wanted to check its different than brute-forcing the credentials of the remote miner
And loading your custom rom on it.

And would like to confirm that a true factory reset (not software - but the physical hold for 5 seconds to load image from rom, etc)
is unable to restore the miner to its default.

[steve15]

No, the details are not public yet.
There is a significant difference in making a custom rom, and explaining how you can gain access to thousands of remote miners out there.

Custom ROM is intented to use on your own hardware.

My hack is intented to remotely control another miner, making it useless to the owner, since he can no longer login.

Ok.
But just wanted to check its different than brute-forcing the credentials of the remote miner
And loading your custom rom on it.

And would like to confirm that a true factory reset (not software - but the physical hold for 5 seconds to load image from rom, etc)
is unable to restore the miner to its default.

Code:

DESCRIPTION = "Daemon to monitor power button"
LICENSE = "GPL"
LIC_FILES_CHKSUM = "file://COPYING;md5=d41d8cd98f00b204e9800998ecf8427e"

SRC_URI = "file://monitor-pwbtn.c \
        file://init \
        file://factory_config_reset.sh \
        file://COPYING \
"

S = "${WORKDIR}"

do_compile() {
        make monitor-pwbtn
}

do_install() {
        install -d ${D}${bindir}
        install -m 0755 ${WORKDIR}/monitor-pwbtn ${D}${bindir}
        install -m 0755 ${WORKDIR}/factory_config_reset.sh ${D}${bindir}

        install -d ${D}${sysconfdir}/init.d
        install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/monitor-pwbtn
        update-rc.d -r ${D} monitor-pwbtn start 70 S .
}

A 'true' factory reset does exactly the same on sofware level then a 'software' factory reset
Just some minor details change, the miner connects to a server of KnC to get some info, that's it.

[philipma1957]

Hi all,

So, what else to do in my spare time while mining some BTC? Exploiting security holes in my hardware.
It turns out that every KnC miner can be hacked within 5-10 minutes, making it possible to control the CGMiner remotely.

I've submitted a higly detailed report to KNC, explaining how i did it, and how they can patch it with a new firmware upgrade.
To avoid a huge breach, i will not reveal all details, but i give you a short summary [proof of concept].

1: Scan the internet, using a special tool, for the default KnC Miner header response

Code:

WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="f76e06a34c00b5fec1da6749d4ed0bfc", qop="auth"

EVERY miner uses this header, so in 10 seconds, i found about 1180 responses vulnerable to my attack.

2: Cricial information remains hidden for public, but the http digest can be bypassed with ease.

3: Run basic HTTP bruteforce. Since the digest is bypassed, i can run unlimited bruteforce attempts.
Within a timespan of 20 minutes, i managed to bruteforce 28 miners !! (Most of them poor passwords tough)

Now comes the fun part...

Login using SSH. If the SSH port is not enabled, simply login to the web console and enable it.

The source code of

Code:

factory_config_reset.sh

tells us exactly what we need.

VI (edit) the default factory files, as found in the factory reset code, making a second login inside the factory reset files.

The digest file requires you a special hash to create the password. This can be done using special tools, but for safety reasons, i will not go further on this part in public.

Alter these files to gain access after factory reset

Code:

/etc/shadow.factory

Code:

/etc/lighttpd.htdigest.user

Now remove all the default credentials in the factory files, making it impossible to login using the default admin:admin for the owner

RUN THE FACTORY RESET...

And enjoy your personal miner, that just became unusable to the owner, since he can no longer login.

Disclaimer:

I intend to do no harm. No miner has ever been in my control, or ever will be. I just expose this threat to put pressure on KnC to hurry their firmware upgrade.
Do not ask or PM me for information about this hack, it will not be provided !! Only KNC has the entire manual !


Note to all KnC miners out there: Please change your passwords to long, safe password!
If needed, simply hashing your firstname to MD5 will do the trick to scare away hackers.

PLEASE USE A ROUTER INSTEAD OF DIRECT INTERNET ACCESS !!!


Greetings!!

EDIT: Email to KnC

Hello KnC team,

As you might picked up on bitcointalk.org, i managed to successfully scan and exploit KnC Miner configuration software running on all your miners.
Attachted is my HowTo, showing you how i managed to succeed in this hack.

I feel, as a software developer and penetration tester, that you do not take user security in account with your services.
The only thing you care about, is selling hardware. What happens with it, seems to be the least of your concerns.

You should now that the user is always the weakest security, but instead of anticipating on that, you go with that flow.

I did not post exactly how i did it on the forum for security reasons, but however, i urge you to push a new firmware closing up those holes.
Holidays or not, i will expose the detailed howto on bitcointalk.org on January 1st 2014 at 12h00.

Once this exploit go public, you will receive a lot of complaints and behalf of your clients, and loose lots of trust in the general public.
If you have not patched your firmware, this will confirm my statement that you do not carry about user security.

I can only imagine all blogs picking up that posts just before Neptune delivery...

I just created a custom firmware patching all the security flaws, it took me about one hour.
So surely, your developers can do the trick also.

For the sake of the general public, who have put their trust and funds in you, please patch up your firmware!!

Quite frankly after   read this I think you owe  coins to us on this thread:

https://bitcointalk.org/index.php?topic=334360.0

I believe you screwed up our 2 miners
we have a 2-3 day coin less gap

https://blockchain.info/address/19NAwha8LGpRFEBwRgjH5ZMB9YyXeqyY9V

https://blockchain.info/address/13fGQGmb6Xi576ppJTkeXk34yDDRmvxjm4

 (Eleuthria )
this direct appeared on both out payout addresses and we lost coins..  the timing matches to your playing around with out 2 miners  along with 1100 other miners.

[steve15]

Quite frankly after   read this I think you owe  coins to us on this thread:

https://bitcointalk.org/index.php?topic=334360.0

I believe you screwed up our 2 miners
we have a 2-3 day coin less gap

https://blockchain.info/address/19NAwha8LGpRFEBwRgjH5ZMB9YyXeqyY9V

https://blockchain.info/address/13fGQGmb6Xi576ppJTkeXk34yDDRmvxjm4

 (Eleuthria )
this direct appeared on both out payout addresses and we lost coins..  the timing matches to your playing around with out 2 miners  along with 1100 other miners.

I intend to do no harm. No miner has ever been in my control, or ever will be.

Why should i screw with 2 miners, while i have 6 jupiters standing here.
Also, why screw with miners who are pwd protected, while there are hundres of miners with default login.

And mostly, why would i post a topic after screwing with miners.

Think about it ;-)

[philipma1957]

I did think about it. I found it to be   bad timing on your part to announce you did this and that the announcement matches very odd behaviour  of our miners. What I would like to know is how many miners other then the two  mention have this problem which is why I posted this here.  You have admitted you viewed 1100 plus miners.  if only the two I mention have this problem after being viewed by you then most likely this has nothing to do with your testing.

[steve15]

I did think about it. I found it to be   bad timing on your part to announce you did this and that the announcement matches very odd behaviour  of our miners. What I would like to know is how many miners other then the two  mention have this problem which is why I posted this here.  You have admitted you viewed 1100 plus miners.  if only the two I mention have this problem after being viewed by you then most likely this has nothing to do with your testing.

Well, just wait until the post goes public then! Hurry up and push KnC to patch up.
Can you imagine the horror once i post the full details?

For your information; the +1100 miners are public available on the net, everybody can scan and see them.
I bruteforced 28 logins, but i never actually logged in. Dont you know your KnC has a log? CHECK YOUR LOG BEFORE THROWING MUD!!!

[Bogart]

Of course this kind of thing is a risk if you use a weak password and then forward the ports to allow incoming connections directly from the big bad internet.  Duh.  This goes for any device.

[philipma1957]

I did think about it. I found it to be   bad timing on your part to announce you did this and that the announcement matches very odd behaviour  of our miners. What I would like to know is how many miners other then the two  mention have this problem which is why I posted this here.  You have admitted you viewed 1100 plus miners.  if only the two I mention have this problem after being viewed by you then most likely this has nothing to do with your testing.

Well, just wait until the post goes public then! Hurry up and push KnC to patch up.
Can you imagine the horror once i post the full details?

For your information; the +1100 miners are public available on the net, everybody can scan and see them.
I bruteforced 28 logins, but i never actually logged in. Dont you know your KnC has a log? CHECK YOUR LOG BEFORE THROWING MUD!!!

 So you attacked 28 logins of the 1100 plus miners and you were successful with them. your words not mine .  you claim to own 2 machines  so at best 26 miners are not yours.  did you get permission to try them?  so I do I know if one   or both of the machines I own shares in were not damaged by you?

 causing them to lose about .5btc each in hash.  look If no one comes to the thread other then me then maybe the 28 machines you hacked were not injured in terms of hash power. but  announcing to the world that you hacked /brute forced 28 machines puts you at risk for damages.  Any one including me and my 9.5 percent share of 2 Jupiter's (about 100gh) can say your  actions caused them harm. Frankly I am posting this here to say that brute forcing some ones password with out permission is not to clever in terms of liability .

  Can you prove the 28 machines  that were brute forced were not damaged? Can you prove you did not attack the machines I own a piece of?  Most people do not realize that for civil damage the proof is not  as high as it is for criminal damage.  So I am not slinging any mud I am pointing out that you may have set yourself up for problems. you should have asked for 30 knc owners to be testers.  

If you had permission to do a brute force attack on the 28 machines you should have told us that right up front.

[soothaa]

I did think about it. I found it to be   bad timing on your part to announce you did this and that the announcement matches very odd behaviour  of our miners. What I would like to know is how many miners other then the two  mention have this problem which is why I posted this here.  You have admitted you viewed 1100 plus miners.  if only the two I mention have this problem after being viewed by you then most likely this has nothing to do with your testing.

Holy shit the entitlement here!

[philipma1957]

I did think about it. I found it to be   bad timing on your part to announce you did this and that the announcement matches very odd behaviour  of our miners. What I would like to know is how many miners other then the two  mention have this problem which is why I posted this here.  You have admitted you viewed 1100 plus miners.  if only the two I mention have this problem after being viewed by you then most likely this has nothing to do with your testing.

Holy shit the entitlement here!

 

no not about entitlement.  he admits to attacking passwords of 28 miners. and in no place does he say he had permission.  the 2 miners I own 9.5 % of had a hashing issue during the time he was brute forcing miners.


 if I go to a gym locker and try a 3 digit combo lock 20 times a day until it clicks open I am breaking the law in most counties. even if I push it locked again.


the op admits to doing this with knc passwords.  so dude this is not about entitlement.  this is about the op admitting to attacking passwords on valuable gear. I am not the op. I am a part owner of 2 machines that  the op may have attacked.     so 28/1100 = 2.5% chance but I have 2 machines so about 5% chance he tried on my gear.  my gear had a loss unexplained loss of hash power.  what do you expect me to think?

[runderwo]

what do you expect me to think?

That you should have some evidence beyond pure circumstance before slinging around legal threats?

Would you somehow have been better off if OP had been intimidated by legal liabilities into never discovering and posting this information?

P.S. If you don't want people "attacking" your gear through a public IP interface, simply configure it to not fulfill requests so promptly and politely.  Is it that difficult?

[philipma1957]

what do you expect me to think?

That you should have some evidence beyond pure circumstance before slinging around legal threats?

Would you somehow have been better off if OP had been intimidated by legal liabilities into never discovering and posting this information?

P.S. If you don't want people "attacking" your gear through a public IP interface, simply configure it to not fulfill requests so promptly and politely.  Is it that difficult?

first off I am not the op.  i did not brute force 28 knc machines he did.  now when he did the brute force on the 28 machines he did not tell us he had permission to do it. so stop defending him for  doing something that is not legal.

 did his brute force attack hurt this person?

https://bitcointalk.org/index.php?topic=31163.msg4140767#msg4140767

maybe I do not know but time wise it matches.  was he off line for 3 or 5 hours extra due to the password attack ? do not know.  I ask you this. would you want someone coming to the front door of your home and testing your door knob to see if it opens easily ?  

  so to the op  did you have permission to attack the 28 machines? yes or no?  my apologies if you informed those miners. before you attacked them