Haunted House: Vulnerabilities in IIUP
Recently, looking at one of my favorite English-language blogs, I came across an article by Dan Farmer (the one that created one of the first vulnerability scanners in history), the title of which can (albeit somewhat freely) be translated as “IIUP: train goes to AD” .
After examining my heart dear Habr, I did not find any mention of this commendable article and decided to correct this omission, especially since it is in my interests (the investigation here as such was not required - Dan was investigating everything before us, but the scandalous intrigue can be traced).
So, first things first. Who is IIUP and why did he send a train to hell?
Those habrovchan who work in large and beautiful data centers know what it is (and probably use it all), for those who are not lucky enough to work in a large and beautiful data center, I note that IIUP (popularly IPMI, that is, Intellectual Platform Management Interface is an intelligent platform management interface. It is present in all server matplat, and is something like a built-in KVM "on steroids."
This meritorious thing allows the administrator to access the server regardless of the vagaries of the BIOS, operating system, and even the CPU - and this means that the component responsible for the operation of the IIMP (BMC, Baseboard Management Controller, Controller Matplatoy) continues to work, even when the server itself is turned off (but not de-energized) or frozen.
In fact, the IIUP is generally extremely resistant to various “troubles”, and can transmit data (and provide access) in very diverse “catastrophic” situations. Of course, besides the administration itself, the BMC also carries out monitoring, journaling,erotic massage, coffee preparation and many other good and meritorious deeds.
Yummy? Not really ...
')
For example, a reasonable question arises - how does this wonderful aggregate solve authentication issues?
And here the problems begin.
Authentication occurs on a pair of username / password, the password length does not exceed 20 characters, while in some BMC they are stupidly stored in the native form (Dell, however, hashes ... but without salt. Twenty-first century, however ...).
Many of them support RADIUS etc. (not always adequate), but almost always there is the possibility of transition to “emergency” basic authentication (which is actually quite logical - the IIEP should continue to work in emergency situations in which the authentication server may be unavailable itself).
But perhaps the most interesting is that if someone is logged in on a specific server with administrator rights, he automatically gets full admin rights with respect to the BMC of that particular server.
Thus, if someone (well ... Mallory is there, for example) has root the server, then this attacker can additionally annoy the victim by "creatively reworking" the list of IPMS users of the machine or, better yet, stealing the IPMS logins / passwords (I think he said that storing passwords in the IUD is often not very well thought out, is it?), because the IIUP architecture is such that reuse of passwords is likely. In principle, the problem with reuse of passwords can be solved to some extent with the help of the RAKP (special key exchange protocol), but its use requires serious skills and is not very well described in the literature (it should also be remembered that the RAKP will not help to prevent Mallory in the BMC server, on which Mallory has already received administrator rights).
Many Navy have their own web server (because, of course , wherever without it, in a low-level monitoring and administration system ...), which theoretically expands the possible repertoire of "friendly pranks" that Malory can produce after a BMC capture on a single machine .
Updating BMC firmware is also not very well thought out - first, “normally” only a specially signed image from the supplier can be stitched (which means that if you have found a “hole” in your IIEP version, then you have nothing to do but wait when the vendor deigns to write an official update), and secondly, for a number of “relatively low-cost” server motherboards, the Navy themselves were produced by a third party, which makes the update a task with two already (or even more, the firmware could also be “outsourced”) by unknown .
It is worth noting that during the preparation of his material Farmer found an exploit that allows SSH to get root on the BMC of a “major vendor” (details have not been disclosed yet, being a responsible person, he decided to give the vendor the opportunity to release an update)
It’s too early to sum up - surprisingly, Farmer’s article is almost the first material trying to generalize information about the IIEP security problems (moreover, the material is being actively updated with interesting details, so watch this space ), but one thing is for sure - security IIep is damn interesting.
I hope, dear habrovchane, my modest, cursory retelling of a wonderful article not only amused you, but also, perhaps, interested you with another fun and unusual problem.
After examining my heart dear Habr, I did not find any mention of this commendable article and decided to correct this omission, especially since it is in my interests (the investigation here as such was not required - Dan was investigating everything before us, but the scandalous intrigue can be traced).
So, first things first. Who is IIUP and why did he send a train to hell?
Those habrovchan who work in large and beautiful data centers know what it is (and probably use it all), for those who are not lucky enough to work in a large and beautiful data center, I note that IIUP (popularly IPMI, that is, Intellectual Platform Management Interface is an intelligent platform management interface. It is present in all server matplat, and is something like a built-in KVM "on steroids."
This meritorious thing allows the administrator to access the server regardless of the vagaries of the BIOS, operating system, and even the CPU - and this means that the component responsible for the operation of the IIMP (BMC, Baseboard Management Controller, Controller Matplatoy) continues to work, even when the server itself is turned off (but not de-energized) or frozen.
In fact, the IIUP is generally extremely resistant to various “troubles”, and can transmit data (and provide access) in very diverse “catastrophic” situations. Of course, besides the administration itself, the BMC also carries out monitoring, journaling,
Yummy? Not really ...
')
For example, a reasonable question arises - how does this wonderful aggregate solve authentication issues?
And here the problems begin.
Authentication occurs on a pair of username / password, the password length does not exceed 20 characters, while in some BMC they are stupidly stored in the native form (Dell, however, hashes ... but without salt. Twenty-first century, however ...).
Many of them support RADIUS etc. (not always adequate), but almost always there is the possibility of transition to “emergency” basic authentication (which is actually quite logical - the IIEP should continue to work in emergency situations in which the authentication server may be unavailable itself).
But perhaps the most interesting is that if someone is logged in on a specific server with administrator rights, he automatically gets full admin rights with respect to the BMC of that particular server.
Thus, if someone (well ... Mallory is there, for example) has root the server, then this attacker can additionally annoy the victim by "creatively reworking" the list of IPMS users of the machine or, better yet, stealing the IPMS logins / passwords (I think he said that storing passwords in the IUD is often not very well thought out, is it?), because the IIUP architecture is such that reuse of passwords is likely. In principle, the problem with reuse of passwords can be solved to some extent with the help of the RAKP (special key exchange protocol), but its use requires serious skills and is not very well described in the literature (it should also be remembered that the RAKP will not help to prevent Mallory in the BMC server, on which Mallory has already received administrator rights).
Many Navy have their own web server (because, of course , wherever without it, in a low-level monitoring and administration system ...), which theoretically expands the possible repertoire of "friendly pranks" that Malory can produce after a BMC capture on a single machine .
Updating BMC firmware is also not very well thought out - first, “normally” only a specially signed image from the supplier can be stitched (which means that if you have found a “hole” in your IIEP version, then you have nothing to do but wait when the vendor deigns to write an official update), and secondly, for a number of “relatively low-cost” server motherboards, the Navy themselves were produced by a third party, which makes the update a task with two already (or even more, the firmware could also be “outsourced”) by unknown .
It is worth noting that during the preparation of his material Farmer found an exploit that allows SSH to get root on the BMC of a “major vendor” (details have not been disclosed yet, being a responsible person, he decided to give the vendor the opportunity to release an update)
It’s too early to sum up - surprisingly, Farmer’s article is almost the first material trying to generalize information about the IIEP security problems (moreover, the material is being actively updated with interesting details, so watch this space ), but one thing is for sure - security IIep is damn interesting.
I hope, dear habrovchane, my modest, cursory retelling of a wonderful article not only amused you, but also, perhaps, interested you with another fun and unusual problem.
Source: https://habr.com/ru/post/168307/
All Articles