
Intel AMT vulnerability: Silent Bob is Silent [pdf] - my123
https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
======
nullc
Is there even a point in discussing this?

Intel and AMD will continue to not provide options without backdoors,
intentional or otherwise.

Everyone will continue to buy their product because the alternatives do not
have competitive performance.

------
lightedman
Wow. All you have to do is give it an empty response, and it accepts it as
valid and lets you in.

How did this get missed in QC? The first thing I try doing while I'm working
on my little game is seeing if null or empty inputs allow things that should
not happen to happen with each command/function I add into the system. I write
the code, see if it compiles, and if it does I immediately test the function
in-game with any potentially invalid string/argument I can think to give it.
Isn't input testing/validation step #1 in QC for code?

~~~
ajross
While I'm sure you are right that _you_ would totally never do something like
that, it's likewise a truism that virtually all security goofs like this are
commited by programmers who think they'd totally never do something like that.
To wit: I don't believe you.

What almost certainly happened here is that, as someone else in this thread
mentions, someone came by to fix an automated warning about the use of
strcmp(a, b) and replaced it with strncmp(a, b, strlen(a)) instead of
strncmp(a, b, strlen(b)). Easily 90% of code reviewers wouldn't catch that
mistake (especially if it came along with a truckload of other such fixes),
and as it's a maintenance change no new tests would have been written for it.

The only way to catch this would have been to already have written and
deployed a test that expressly tested an empty string password. That's surely
a good test to have, but come on, be honest: you've probably written a bunch
of "password" style checkers in your career. Did you deploy a test and
integrate it into CI for every one of them?

~~~
tyingq
It was trickier that that even. It wasn't an empty password. It was an empty
digest auth response, something like this is the normal path, inside the
browsers code...not your own code.

HA1=MD5(username:realm:password)

HA2=MD5(method:digestURI)

response=MD5(HA1:nonce:HA2)

So you have to hijack the header value the browser sends...not just send an
empty password.

------
nisa
So if you setup AMT in the BIOS and run Linux you are exploitable? Can
somebody confirm that this also affacts AMT < 6.0 i.e. Core2 system like Dell
Optiplex 755,780?

~~~
kevin_b_er
AMT runs below the OS on a coprocessor inside the intel chip that has a
privilege level greater than hypervisor to your machine and monitors the mobo
ethernet independently of the OS. It can re-image and control your machine no
matter what OS is running. Yes you're vulnerable running Linux.

~~~
leir
Is this vulnerability just an authentication bypass the AMT web server, or the
root cause was that AMT itself vulnerable?

------
nikanj
I have witnessed more than one (internal, not security critical) bug caused by
a junior coder who's noticed a compiler nag about not using the length-
checking version of string functions.

------
eikenberry
Has anyone developed a scanning program yet? To scan your local network for
vulnerable machines. It would be very handy to know which systems I need to
boot into Bios and disable AMT.

~~~
ams6110
Use nmap to check for the open ports.

623, 664, 1699[2-5]

~~~
eikenberry
Thanks.

------
orblivion
So if I point another computer on the network to the given ports on a browser,
I should see this damn interface? Would be a nice way to indicate whether it
is on or not, maybe?

~~~
ppoint
I think AMT needs to be provisioned on target computer to be exploitable.

~~~
AnimalMuppet
But to find out if it is, I need to go into the BIOS, right? Isn't it easier
just to try going to a port?

~~~
orblivion
I keep reading that if you "disable AMT" in the BIOS (on my Lenovo, anyway) it
just resets the settings. A complete WTF but that's what I've been reading.

------
RichardHeart
Will blocking ports 16992-16993 at router block this attack vector?

