
Intel's Remote AMT Vulnerability - tptacek
http://mjg59.dreamwidth.org/48429.html
======
zkms
> If you reboot you should see a brief firmware splash mentioning the ME.
> Hitting ctrl+p at this point should get you into a menu which should let you
> disable AMT.

my Lenovo T450s's vPro/AMT setup menu (MEBx) requires a password from me. The
default password ("admin") won't work -- which is wonderful, as I have no idea
how to reset it. Yaey.

~~~
mtgx
I don't trust Lenovo anymore. Far too many shenanigans like these from them.
It wouldn't surprise me if they do it on purpose for the Chinese government.
Also, the last Lenovo I bought, kind of fell apart in 2 years, so there's
that, too.

~~~
imglorp
Right, they've been caught several times now. How many didn't get publicized?

[http://thehackernews.com/2015/08/lenovo-rootkit-
malware.html](http://thehackernews.com/2015/08/lenovo-rootkit-malware.html)

[https://www.us-cert.gov/ncas/alerts/TA15-051A](https://www.us-
cert.gov/ncas/alerts/TA15-051A)

etc.

------
Clownshoesms
Say you had an afflicted machine on the public internet, but completely
firewalled in terms of IP, is this exploitable? I'm still not clear on how it
happens.

Edit: Sorry read a bit deeper. Presumably this has to be enabled in the bios,
but O/S level firewall won't help. Ack.

~~~
mjg59
Firewalled at which stage? OS-level firewalling will do nothing, but if your
border is rejecting packets for port 16992 then only people on your local
network will be able to attack you.

~~~
Clownshoesms
Thanks. Didn't realize there's another big thread, will have a read.

~~~
i336_
Was curious, it's this one:
[https://news.ycombinator.com/item?id=14237266](https://news.ycombinator.com/item?id=14237266)

~~~
Clownshoesms
Sorry for not linking it, was in a rush.

~~~
i336_
Not at all a problem.

------
gwu78
Is it true these packets are HTTP requests full of XML, i.e., SOAP? Do they
use HTTPS on ports 16994 and 16995?

To avoid a crash, users can mount potentially malicious filesystems in
userspace, i.e. users can run kernel drivers like ffs outside of the kernel.
This feature comes from a non-Linux kernel. I have read this may be able to
work on Linux too but I have never tried it.

~~~
cillian64
Here is a script which speaks the AMT lingo:
[https://github.com/wentasah/amtterm/blob/master/amttool](https://github.com/wentasah/amtterm/blob/master/amttool)

It's clearly using SOAP, and looks like you can choose between HTTPS or HTTP.

------
rphlx
> which probably means it's possible to use a malformed filesystem to get
> arbitrary code execution in the kernel.

I'll concede that there are some older vulns allowing that, but if you meant
for a reasonably up-to-date Linux or Win7+ system: reference needed.

~~~
mjg59
[https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2016-4913](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2016-4913), for instance?

~~~
rphlx
Thanks - didn't hear about that one.

~~~
mjg59
Filesystems are basically parsers that were only originally tested against
well-formed input. Upstream Linux developers will happily tell you that you
shouldn't allow untrusted users to mount filesystems (or trusted users to
mount untrusted filesystems…), but unfortunately that's not really an option
in the real world.

~~~
rphlx
Well, for the past 4+ years "arbitrary kernel code execution through mounting
a malformed FS" has been considered a major security issue, and a lot of
effort does go into finding and fixing stuff like that through fuzzing, code
audits, static analysis, etc (for both Linux and Windows). I think it is fair
to say that this class of vulns is declining in frequency, with the rate of
discovery having peaked somewhere within 2008-2012.

~~~
mjg59
Eh. Bugs get fixed as they're found, but I don't see much evidence of it being
taken into consideration when adding new code (in Linux, at least - it
wouldn't surprise me if Windows were better in this respect)

~~~
tinus_hn
If the attacker just provides a file system that contains setuid shells or
unsecured device files, that's not really a bug and not remotely exploitable.
But it's still a vulnerability.

~~~
jabl
Hopefully filesystems mounted by normal users will have nosuid,nodev enforced
(whoever is responsible for this these days, policykit??). Please tell me I'm
correct...

------
JustinGarrison
If I have AMT enabled on systems that never leave my network and no ports are
forwarded through my firewall this should not be a problem. It could be a
problem if someone found a bug in my router and got through the router but I'd
be more concerned about iot devices than AMT on a couple desktops.

