Lucene search
K

Supermicro Onboard IPMI Static SSL Certificate Scanner

šŸ—“ļøĀ 06 Nov 2013Ā 19:45:40Reported byĀ hdm <[email protected]>, juanTypeĀ 
metasploit
Ā metasploit
šŸ”—Ā www.rapid7.comšŸ‘Ā 80Ā Views

This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI controllers. An attacker with access to the publicly-available firmware can perform man-in-the-middle attacks and offline decryption of communication to the controller. This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware version SMT_X9_214

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2013-3619
29 May 201815:50
–circl
Check Point Advisories
Supermicro Onboard IPMI Static SSL Certificate Scanner Information Disclosure (CVE-2013-3619)
12 Nov 201300:00
–checkpoint_advisories
CVE
CVE-2013-3619
2 Jan 202017:51
–cve
Cvelist
CVE-2013-3619
2 Jan 202017:51
–cvelist
EUVD
EUVD-2013-3553
7 Oct 202500:30
–euvd
NVD
CVE-2013-3619
2 Jan 202018:15
–nvd
OpenVAS
Known/Static SSH Private Key Used (TCP)
14 Oct 201500:00
–openvas
Packet Storm
Supermicro Onboard IPMI Static SSL Certificate Scanner
1 Sep 202400:00
–packetstorm
Prion
Design/Logic Flaw
2 Jan 202018:15
–prion
Tenable Nessus
SSH Static Key Accepted
8 May 201400:00
–nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  PRIVATE_KEY = <<-EOF.gsub(/^ {4}/, '')
    -----BEGIN RSA PRIVATE KEY-----
    MIICXQIBAAKBgQC1q1kR6chWLfwspD84Asyy6EFV6SYRGy/gILsYGtn9kCQi2RFo
    bNxS5CvphbGWn9D9n5gJpTVWLWb3LwJxGuBKSRj2wrHLlejzw6kSmF+3xFCuMfxV
    FSj8TM8JqlOqM1c6lvH2MSXnN7pJBVcekNKbBUEfptakPSejStljbXecSwIDAQAB
    AoGAah4/FzGiboTKCyGeNA+eltsIXzCjpdZlrtwvrbLxpyXtldWKT59XS6ww4mXQ
    CJYuNBhnbSrt7vrybG0vVfZHEOCvK+5YKBOtvRgrWDgs1Bkc5hsdI5gLx3jE7g6M
    PuUvD7ueF4OzYeYRrOLWr957jl32n+hD/k65bKWAUp3aTDECQQDqnEPZWlmoH7Jp
    6woRnEp+1cullHv8DviM5Huh+JeBotSa03p4unhKlRYSqnHdeHU2343n1VUDzvnV
    LQWi5G+FAkEAxjt0S67lyuuVD842uZRHt2WSQvwt23aKzQ+EJwV0IXYzfefeLzEm
    dDdvc1AJ31gweAQK89/5/1EEF40K7BJdjwJBAJDFdtTT/QlS7eyQPjlZwVp9IVp+
    wvdqYZPHlkb/uLYlPZ6Aq01+e6ZCU0mXZgYtQ99lmhKaQQjFmsMiMh0va2UCQA2T
    NLuaFpJ235ZdgNHknaSpiAKeUmWdEJRKY7poXTONbKlKn6SLsR50TWWQLZzl5SvS
    2w0oYW5ile0m84CHIXECQQCrABn0HY4Ll9/4FX+OCWamqwENltU1GcGIogeyFymK
    ZVX8QdAVoUiZoUaVku946j63WNSkI1sU/UWhL6XDt4gx
    -----END RSA PRIVATE KEY-----
  EOF


  def initialize
    super(
      'Name'        => 'Supermicro Onboard IPMI Static SSL Certificate Scanner',
      'Description' => %q{
        This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI
        controllers. An attacker with access to the publicly-available firmware can perform
        man-in-the-middle attacks and offline decryption of communication to the controller.
        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware
        version SMT_X9_214.
      },
      'Author'       =>
        [
          'hdm', # Discovery and analysis
          'juan' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2013-3619' ],
          [ 'URL', 'https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/']
        ],
      'DisclosureDate' => 'Nov 06 2013'
    )

    register_options(
      [
        Opt::RPORT(443),
      ])
  end

  # Fingerprint a single host
  def run_host(ip)
    connect(true, {"SSL" => true}) #Force SSL
    cert  = OpenSSL::X509::Certificate.new(sock.peer_cert)
    disconnect

    unless cert
      vprint_error("#{ip}:#{rport} - No certificate found")
      return
    end

    pkey = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
    result = cert.verify(pkey)

    if result
      print_good("#{ip}:#{rport} - Vulnerable to CVE-2013-3619 (Static SSL Certificate)")
      # Report with the SSL Private Key hash for the host
      digest = OpenSSL::Digest::SHA1.new(pkey.public_key.to_der).to_s.scan(/../).join(":")
      report_note(
        :host  => ip,
        :proto => 'tcp',
        :port  => rport,
        :type  => 'supermicro.ipmi.ssl.certificate.pkey_hash',
        :data  => digest
      )

      report_vuln({
        :host  => rhost,
        :port  => rport,
        :proto => 'tcp',
        :name  => "Supermicro Onboard IPMI Static SSL Certificate",
        :refs  => self.references
      })
    end
  end
end

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation