关键信息 漏洞概述 漏洞名称: Hacking the Miner: Evil Clickjacking in NoxField QuickMiner 发现日期: 2023-07-01 披露日期: 2023-08-01 安全类型: Critical Security Code Execution 发现者: Prince Philip (Independent Security Researcher) 漏洞细节 漏洞类型: Improper Input Validation / Insecure Update Mechanism CVE编号: CVE-2023-6666 影响: Remote Code Execution (RCE) 风险等级: Informal Risk Score 描述 攻击媒介: The attacker can trick a user into clicking on a malicious link. 更新机制: When the update mechanism performs software updates over HTTP instead of HTTPS, it fails to validate digital signatures or hash checks. This allows an adversary to inject a rogue update with malware. 技术描述 当软件检查更新时, 如果更新服务器没有使用HTTPS加密、证书签名验证和数字签名/哈希校验,就会导致一个潜在的漏洞。攻击者可以自动运行恶意代码。 影响产品 厂商: NoxField 产品: QuickMiner 版本: 4.15.0 (20230701 build) 利用步骤 1. Attacker gains control of DNS resolution or network path (e.g., local network poisoning, MITM). 2. Victim's QuickMiner instance requests updates from update.noxfield.com. 3. Attacker serves malicious update.json + payload. 4. QuickMiner executes the payload automatically -> remote code execution achieved. 缓解措施 Install update released by NoxField. Block untrusted access to noxfield.com. Only update software manually from trusted sources. Enforce HTTPS throughout client and network gateways. Use endpoint protection to monitor unauthorized process executions. 时间线 2023-07-01: Vulnerability discovered in QuickMiner build. 2023-08-01: Vendor contacted and confirmed issue. 2023-09-01: Assigned CVE-2023-6666. 2023-10-01: Release via Medium and CVE request. 参考资料 Medium advisory: Hacking the Miner - Zero-Click RCE in NoxField QuickMiner CVE Records: CVE-2023-6666 Reserved 致谢 Research & Discovery: Prince Philip (Independent Researcher)