Lucene search
H D Moore, Dan Farmer, metasploit.comPACKETSTORM:180980HistorySep 01, 2024 - 12:00 a.m.
IPMI 2.0 Cipher Zero Authentication Bypass Scanner
2024-09-0100:00:00
H D Moore, Dan Farmer, metasploit.com
packetstormsecurity.com
13
ipmi 2.0
cipher zero
authentication bypass
vulnerable systems
cipher zero authentication
vulnerability
udp scanner
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
7.1
Confidence
Low
EPSS
0.1
Percentile
95.0%
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::UDPScanner
def initialize
super(
'Name' => 'IPMI 2.0 Cipher Zero Authentication Bypass Scanner',
'Description' => %q|
This module identifies IPMI 2.0-compatible systems that are vulnerable
to an authentication bypass vulnerability through the use of cipher
zero.
|,
'Author' => [ 'Dan Farmer <zen[at]fish2.com>', 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-4782'],
['URL', 'http://fish2.com/ipmi/cipherzero.html'],
['OSVDB', '93038'],
['OSVDB', '93039'],
['OSVDB', '93040'],
],
'DisclosureDate' => 'Jun 20 2013'
)
register_options(
[
Opt::RPORT(623)
])
end
def scanner_prescan(batch)
print_status("Sending IPMI requests to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
@res = {}
end
def scan_host(ip)
console_session_id = Rex::Text.rand_text(4)
scanner_send(
Rex::Proto::IPMI::Utils.create_ipmi_session_open_cipher_zero_request(console_session_id),
ip, datastore['RPORT']
)
end
def scanner_process(data, shost, sport)
info = Rex::Proto::IPMI::Open_Session_Reply.new.read(data)# rescue nil
return unless info && info.session_payload_type == Rex::Proto::IPMI::PAYLOAD_RMCPPLUSOPEN_REP
# Ignore duplicate replies
return if @res[shost]
@res[shost] ||= info
if info.error_code == 0
print_good("#{shost}:#{sport} - IPMI - VULNERABLE: Accepted a session open request for cipher zero")
report_vuln(
:host => shost,
:port => datastore['RPORT'].to_i,
:proto => 'udp',
:sname => 'ipmi',
:name => 'IPMI 2.0 RAKP Cipher Zero Authentication Bypass',
:info => "Accepted a session open request for cipher zero",
:refs => self.references
)
else
vprint_status("#{shost}:#{sport} - IPMI - NOT VULNERABLE: Rejected cipher zero with error code #{info.error_code}")
end
end
end
`
Related
prion
prion
Authentication flaw
2013-07-08 22:55:00
cvelist
cvelist
CVE-2013-4782
2013-07-08 22:00:00
metasploit
metasploit
IPMI 2.0 Cipher Zero Authentication Bypass Scanner
2013-06-30 07:35:37
cve
cve
CVE-2013-4782
2013-07-08 22:55:01
nvd
nvd
CVE-2013-4782
2013-07-08 22:55:01
openvas
openvas
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
7.1
Confidence
Low
EPSS
0.1
Percentile
95.0%
Related for PACKETSTORM:180980