Before we dwell into this vulnerability, allow me to set the table. Once upon a time, Intel decided to add some hardware to their chips to allow admins to remotely control their servers. So today, Intel chips for server solutions contain “Management Engine” (ME) – a microcontroller inside of a processor. ME works independently to the operating system and it works even if the OS is shutdown (provided power supply and network access) so administrators can remotely turn the machine on and off, manage the server and even reinstall the operating system. You can access network, memory, storage, processors, and connected hardware, all of that completely out of sight to the operating system, let alone anti-virus. This level of privileges is called ring –2 and, once again, it’s connected to the internet. For obvious reasons, this feature bugs security and privacy conscious people to the extent that you can find many tutorials that teach you how to physically rip off that part of the chip.
In February 2017 (but patched in May 2017), security researcher Maksim Malyutin from researching team Embedi, discovered a logical flaw in ME firmware that allows hackers to use technologies such as AMT and ISM to bypass authentication and gain control over ME over the network. If you use mentioned technologies for your server, head over to this advisory and patch up! Otherwise, let’s delve into the (trivial) technical details of this vulnerability.
ME firmware was written in C, so it wasn’t too hard to find the authentication part in reverse engineered firmware – function: int strncmp (string s1, string s2, int cmplength). This function takes two strings and a number. Strings are to be compared and the number specifies how many characters from the beginning of the string are to be compared. Based on the comparison, the function returns 0 if the first ‘cmplength’ characters are the same, in which case, admin is authenticated.
The firmware handles authentication by comparing user response string with the one stored on the server (computed response) like this:
Flaw resides in the third argument – number of characters to be compared is the length of the user response! If the user could somehow send nothing (null), the program would compare first 0 characters which would always be true. Communication with AMT happens over HTTP so nothing stops an attacker to set up a proxy and remove the user response string on the fly. Third argument should’ve been computed response’s length!
For more detailed version, check out Embedi’s whitepaper on the topic. It also contains an exploitation example. Before I go, it’s worth mentioning that vulnerable remote control technologies are turned off by default, which is a lifesaver for many people right now.
TheBitcoinNews.com – Bitcoin News source since June 2011 –
Virtual currency is not legal tender, is not backed by the government, and accounts and value balances are not subject to consumer protections. TheBitcoinNews.com holds several Cryptocurrencies, and this information does NOT constitute investment advice or an offer to invest.
Everything on this website can be seen as Advertisment and most comes from Press Releases, TheBitcoinNews.com is is not responsible for any of the content of or from external sites and feeds. Sponsored posts are always flagged as this, guest posts, guest articles and PRs are most time but NOT always flagged as this. Expert opinions and Price predictions are not supported by us and comes up from 3th part websites.
Advertise with us : Advertise
Our Social Networks: Facebook Instagram Pinterest Reddit Telegram Twitter Youtube