Before we dwell into this vulnerability, allow me to set the table. Once upon a time, Intel decided to add some hardware to their chips to allow admins to remotely control their servers. So today, Intel chips for server solutions contain “Management Engine” (ME) – a microcontroller inside of a processor. ME works independently to the operating system and it works even if the OS is shutdown (provided power supply and network access) so administrators can remotely turn the machine on and off, manage the server and even reinstall the operating system. You can access network, memory, storage, processors, and connected hardware, all of that completely out of sight to the operating system, let alone anti-virus. This level of privileges is called ring –2 and, once again, it’s connected to the internet. For obvious reasons, this feature bugs security and privacy conscious people to the extent that you can find many tutorials that teach you how to physically rip off that part of the chip.
In February 2017 (but patched in May 2017), security researcher Maksim Malyutin from researching team Embedi, discovered a logical flaw in ME firmware that allows hackers to use technologies such as AMT and ISM to bypass authentication and gain control over ME over the network. If you use mentioned technologies for your server, head over to this advisory and patch up! Otherwise, let’s delve into the (trivial) technical details of this vulnerability.
ME firmware was written in C, so it wasn’t too hard to find the authentication part in reverse engineered firmware – function: int strncmp (string s1, string s2, int cmplength). This function takes two strings and a number. Strings are to be compared and the number specifies how many characters from the beginning of the string are to be compared. Based on the comparison, the function returns 0 if the first ‘cmplength’ characters are the same, in which case, admin is authenticated.
The firmware handles authentication by comparing user response string with the one stored on the server (computed response) like this:
Flaw resides in the third argument – number of characters to be compared is the length of the user response! If the user could somehow send nothing (null), the program would compare first 0 characters which would always be true. Communication with AMT happens over HTTP so nothing stops an attacker to set up a proxy and remove the user response string on the fly. Third argument should’ve been computed response’s length!
For more detailed version, check out Embedi’s whitepaper on the topic. It also contains an exploitation example. Before I go, it’s worth mentioning that vulnerable remote control technologies are turned off by default, which is a lifesaver for many people right now.