New UEFI standards suggest that the physical presence of a person (operator) will protect against automated actions of malware to modify various types of keys (which verify the validity of the loaded software), fill in the wrong versions of BIOS, etc.

The logic is this: to allow these actions (which will allow you to download anything) only with a physical confirmation from the keyboard. They say that no evil virus can physically press a button on the keyboard for BIOS.

Now I will not even consider the likelihood of hacking USB-device firmware to send the right combination of buttons.
')
I want to talk about such a scary thing as IPMI and iLO with embedded KVMs. And how easily the task of “physical presence” in the modern server hardware is easily managed.

So let's take a look at IPMI. For example, I took the first available laboratory machine with IPMI on board. What does he provide?

1) Separate network interface on the motherboard.
2) A separate computer, powered by standby voltage from the power supply, working independently of the main one.
3) Built-in power management capabilities of the main computer (power on, power off, reset)
4) IPMI (video capture card plus virtual mouse and keyboard, it is also possible to connect virtual floppy and optical disks).

All this was done for good purposes. So that the sysadmin could look at the work of the computer as if he had connected a monitor and keyboard, but without leaving his workplace. Just go to the IP address of the IPMI device, poke the "remote console" - and it is on the screen. Including, we note, the BIOS menu.

Since IPMI is a normal (albeit thin) computer, it has its own ssh.

Let's go there.

On one model, we will see a rather poor spectacle from a text menu with options.
But on the second ...

 BusyBox v1.1.3 (2009.08.12-22: 19 + 0000) Built-in shell (ash)
 Enter 'help' for a list of built-in commands.

  # uname -a
 Linux SMC003048F209F5 2.6.24-ami # 1 Wed Aug 12 15:18:58 PDT 2009 armv5tejl unknown

Yes, you understood correctly. Normal Linux. With working commands, a directory where you can copy your executable files and run them.

But there is a password!

By virtue of an IPMI device, it can be controlled from the host:

ipmitool -I open user set password 2 ADMIN mynewpass


Well, and other things, such as warm reboot, cold reboot, etc. In principle, it is even possible to download your version of the company.

Attack scenario

1. Through a hole in the manual and local right escalation, the malware gets root.
2. The software detects and loads modules for server hardware configuration.
3. The software establishes a network connection with IPMI (the address can be viewed) or simply replaces the firmware and restarts IPMI
4. Software in IPMI listens to POST codes from the motherboard and waits for a reboot.
5. When you restart, keystrokes are sent to the keyboard (we still exclude the picture’s OCR magic, as well as human participation in hacking).
6. By pressing (note, pressing is selected for a specific BIOS model and downloaded as modules at the penetration stage) the key to the bluepill (rootkit hypervisor) is set as a trusted key.
7. Malvaria completely removes all primary traces (itself in IPMI, itself in the form of PHP and exploits for the kernel)
8. PROFIT ????

Why all this?

Moreover, in the conditions of modern server technologies, one cannot rely on “physical presence” as protection against automatic code execution.