IPMI: Understanding Your Server s Remote Backdoor

Similar documents
How To Protect Your Computer From Being Hacked By A Hacker (For A Fee)

Out-of-Band Network Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Vulnerability Assessment and Penetration Testing

Penetration Testing with Kali Linux

Virtualization System Security

HP ProLiant Lights-Out 100c Remote Management Cards Overview

Criteria for web application security check. Version

QuickSpecs. Models. HP ProLiant Lights-Out 100c Remote Management Cards Overview

Check list for web developers

Dell Client BIOS: Signed Firmware Update

Network and Host-based Vulnerability Assessment

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

What is Web Security? Motivation

Lecture 15 - Web Security

Out-of-Band Management: the Integrated Approach to Remote IT Infrastructure Management

CS 558 Internet Systems and Technologies

Application Design and Development

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Hardware Backdooring is practical. Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian)

"EZHACK" POPULAR SMART TV DONGLE REMOTE CODE EXECUTION

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Locking down a Hitachi ID Suite server

The role of Access and Control in DCIM

McAfee Web Gateway 7.4.1

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Who is Watching You? Video Conferencing Security

Gigabyte Management Console User s Guide (For ASPEED AST 2400 Chipset)

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Web Application Security

Sample Report. Security Test Plan. Prepared by Security Innovation

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

IPMI overview. Power. I/O expansion. Peripheral UPS logging RAID. power control. recovery. inventory. Hugo CERN-FIO-DS

Thick Client Application Security

MEGARAC XMS Sx EXTENDIBLE MANAGEMENT SUITE SERVER MANAGER EDITION

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Exploiting hardware management subsystems

Secure Remote Password (SRP) Authentication

Ulteo Open Virtual Desktop - Protocol Description

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Chapter 1 Web Application (In)security 1

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Hacking Database for Owning your Data

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Gigabyte Content Management System Console User s Guide. Version: 0.1

State of Security. Top Five Critical Issues Affecting Servers. Decisive Security Intelligence You Can Use. Read Our Predictions for 2013 and Beyond

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Application Security

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Post-Access Cyber Defense

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

How to hack a website with Metasploit

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

The Trivial Cisco IP Phones Compromise

Stanford Computer Security Lab XCS. Cross Channel Scripting. Hristo Bojinov Elie Bursztein Dan Boneh Stanford Computer Security Lab

IPMI++ Security Best Practices

Virtually Secure. a journey from analysis to remote root 0day on an industry leading SSL-VPN appliance

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Honeypots & Honeynets Overview. Adli Wahid Security Specialist, APNIC.net adli@apnic.net

Where every interaction matters.

Oracle Virtual Desktop Infrastructure. VDI Demo (Microsoft Remote Desktop Services) for Version 3.2

Summary of the SEED Labs For Authors and Publishers

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Server Management with Lenovo ThinkServer System Manager

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Penetration: from Application down to OS

A M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions

Project X Mass interception of encrypted connections

Attack Vector Detail Report Atlassian

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

System Area Manager. Remote Management

Computer Security SEGC-00 - Overview

CIT 480: Securing Computer Systems. Vulnerability Scanning and Exploitation Frameworks

Security Testing in Critical Systems

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

The QueueMetrics Uniloader User Manual. Loway

Shellshock. Oz Elisyan & Maxim Zavodchik

D. Best Practices D.1. Assurance The 5 th A

Adobe Systems Incorporated

STABLE & SECURE BANK lab writeup. Page 1 of 21

Web Application Report

EECS 354 Network Security. Introduction

Top Ten Web Attacks. Saumil Shah Net-Square. BlackHat Asia 2002, Singapore

What is Really Needed to Secure the Internet of Things?

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Security A to Z the most important terms

Transcription:

IPMI: Understanding Your Server s Remote Backdoor Anthony J. Bonkoski abonkosk@umich.edu SUMIT 2013

What is IPMI? Need to manage a massive cluster of servers? Operating system installs Monitoring Power cycling Remote Virtual Desktop Impractical to physically administer each machine

What is IPMI? Intelligent Platform Management Interface (IPMI) Specification by Intel: Adds a second computer Always on Acts as a gateway to the machine Integrated directly into the system buses (e.g. I 2 C) Image Copyright: Ulfbastel, License: GFDL 1.2+/CC BY-SA 3.0

What is IPMI? Several Brand Names: HP ilo Dell idrac Sun/Oracle ilom Lenovo/IBM IMM SuperMicro IPMI ATEN IPMI MegaRAC Avocent IPMI Image Copyright: Ulfbastel, License: GFDL 1.2+/CC BY-SA 3.0

What is IPMI? Second Computer: Baseboard Management Controller (BMC) Image Copyright: U. Vezzani, License: CC BY-SA 3.0

Typical IPMI Implementation System Embedded on Motherboard or Expansion card CPU: ARM/MIPS or other low power embedded CPU OS: Linux or a lightweight real-time OS Extra OEM Features Remote Virtual Console Remote Media High network connectivity incl. HTTP and SSH.

Motivation IPMI is the perfect spying backdoor Always on and often pre-enabled. NIC failover* Powerful Remote Tools Widespread deployment: 100,000+ on public IPs millions on private networks It s an embedded system......often, security is an after-thought! *As seen on our SuperMicro ATEN-based IPMI

Motivation But IPMI is not new: IPMI 1.0: 9/16/1998 IPMI 1.5: 3/1/2001 IPMI 2.0: 2/14/2004 Why do we care now? Most servers ship with IPMI and often pre-enabled Many vendors add special features in addition to the base specification: SSH, Remote KVM, Remote Virtual Media, HTTP, etc. Today s IPMI is not your grandfather s *As seen on our SuperMicro ATEN-based IPMI

Recent Developments Dan Farmer January 2013: Starts publicly denouncing IPMI IPMI: Freight Train to Hell : lots of conjectures Hidden backdoor debugging web page on Dell idrac Could gain root over ssh

Recent Developments Dan Farmer IPMI Specification is broken 1) Cipher-0 allows a user to bypass crypto, and login to BMC locally as admin 2) IPMI 2.0 RAKP Password Hash Retrieval Attacker can retrieve any user s password hash and crack it offline 3) Anonymous authentication 4) Cleartext passwords for calculating authentication hash

Our Work Lets look inside the black-box: We reverse-engineered a popular OEM s firmware We examined the web interface implementation Paper Illuminating the Security Issues Surrounding Lights-Out Server Management Anthony Bonkoski, Russ Bielawski, and J. Alex Halderman Published in Usenix Workshop on Offensive Technologies (WOOT) 2013

Supermicro IPMI Supermicro SYS-5017C-LF IPMI Firmware by ATEN Technology HTML / JavaScript CGI (written in C) Linux 2.6.17 Firmware version 1.86 (build date: 11-14-2012) Nuvoton WPCM450 ARM-based BMC

Supermicro Web Interface

Supermicro SSH Interface Backend: Highly modified fork of Dropbear Frontend: Systems Management Architecture for Server Hardware Command- Line Protocol (SMASH)* Notice: a system admin has no access to underlying Unix shell *Distributed Management Task Force (DMTF) specification: dmtf.org/standards/smash

Reverse Engineering Approach Fetch firmware from OEM website. Scan and unpack: binwalk Mount filesystems

Reverse Engineering Approach Exploring Code: 1) Client-side Javascript 2) Disassembling server-side Looking for the Classics: 1) Insecure Input Validation 2) Shell Injection 3) Buffer Overflows

Input Validation All input validation and permission checking is...in client-side javascript function PrivilegeCallBack(Privilege){ // full access if(privilege == '04'){ issuperuser = 1; } // only view else if(privilege == '03') { var_save_btn.disabled = true; } // no access else { alert(lang.lang_noprivi); } }

Input Validation Server-side? No permission checking. No escaping of input passed to shell. No string length checking in CGI. Server only creates a session token!

Input Validation We can send any input to the CGI programs...even `rm -fr /` Will it get executed? Let s look for calls to system(). 15 of 67 CGI programs made calls to system().

Shell Injection Confirmed shell injection in config_date_time.cgi:

Shell Injection Confirmed shell injection in config_date_time.cgi:

Shell Injection Confirmed shell injection in config_date_time.cgi: Getting command output Redirect to /nv/system_log. Issue GET request to system_log.cgi.

Shell Injection Confirmed shell injection in config_date_time.cgi: Getting command output Redirect to /nv/system_log. Issue GET request to system_log.cgi. Create a psuedo-terminal Wrap POST and GET requests in a python script. root@ipmi #

Shell Injection Does this give an attacker full remote access? Not quite. This attack requires a user account.

More reverse engineering // login.cgi int main(void) { char name[128], pwd[24]; char *temp ; //... initialize... temp = cgigetvariable("name"); strcpy(name, temp); temp = cgigetvariable("pwd"); strcpy(pwd, temp); //... authenticate user... }

More reverse engineering // login.cgi int main(void) { char name[128], pwd[24]; char *temp ; //... initialize... temp = cgigetvariable("name"); strcpy(name, temp); temp = cgigetvariable("pwd"); strcpy(pwd, temp); //... authenticate user... } Buffer Overflows! In the login page!

Buffer Overflows No length validation?

Buffer Overflows No length validation?

Buffer Overflows No length validation?

Buffer Overflows No length validation?

Buffer Overflow Exploitability Buffer-overflow defenses?

Buffer Overflow Exploitability Buffer-overflow defenses? No DEP (Stack and Heap are executable).

Buffer Overflow Exploitability Buffer-overflow defenses? No DEP (Stack and Heap are executable). No Stack Canaries.

Buffer Overflow Exploitability Buffer-overflow defenses? No DEP (Stack and Heap are executable). No Stack Canaries. Limited ASLR. (Stack/Heap base addresses are randomized, but dynamic libraries are not. Return-to-libc works.)

Exploitation Challenges Stack memory addresses are randomized (ASLR)....but, only 12 bits are random. Just 4096 possibilities.

Exploitation Challenges Stack memory addresses are randomized (ASLR)....but, only 12 bits are random. Just 4096 possibilities. We gain control on the return from main(). Stack is small: shellcode must be compact.

Exploitation Challenges Stack memory addresses are randomized (ASLR)....but, only 12 bits are random. Just 4096 possibilities. We gain control on the return from main(). Stack is small: shellcode must be compact. BMC crashes and reboots if pounded too hard with requests.

Buffer Overflow Exploit Solutions Store the shell command in the name buffer. Brute force through the stack randomization. Limit the time between brute-force iterations. Avg. search time: ~7 min.

Buffer Overflow Exploit Solutions Store the shell command in the name buffer. Brute force through the stack randomization. Limit the time between brute-force iterations. Avg. search time: ~7 min. Payload Fetch (wget) and install modified SSH daemon. Forks root shell on incorrect password. Only 2 instructions changed! root@ipmi #

Vulnerable Models Cursory check of all Supermicro IPMI firmware downloads as of May 23, 2013. 30 of 64 images appear vulnerable. 135 device models. Vulnerability disclosed to CERT Vulnerability Note VU#648646. Supermicro says they have a fix, but we haven t directly verified. Possibly affects other ATEN-based products.

The Impact So, rooting this device is easy! But, what are the implications? Yet another broken embedded system?

The Impact Only as secure as our weakest component. Entire system is now vulnerable! Adding an entire computer only weakens.

IPMI for Evil BMC-based spyware and botnets

IPMI for Evil BMC-based spyware and botnets Rooted BMC Rooted host system Mount a custom OS and reboot.

IPMI for Evil BMC-based spyware and botnets Rooted BMC Rooted host system Mount a custom OS and reboot. Rooted host system Rooted BMC Re-flash the BMC with malicious code.

IPMI for Evil BMC-based spyware and botnets Rooted BMC Rooted host system Mount a custom OS and reboot. Rooted host system Rooted BMC Re-flash the BMC with malicious code. BMC rootkits A backdoor that survives potentially forever.

IPMI for Evil BMC-based spyware and botnets Rooted BMC Rooted host system Mount a custom OS and reboot. Rooted host system Rooted BMC Re-flash the BMC with malicious code. BMC rootkits A backdoor that survives potentially forever. A scary thought IPMI meets Matrix Is your IPMI just emulated? How do you know?

Network Measurements Scanned all public IPs on May 7, 2013 using ZMap. Downloaded all X.509 certs from HTTPS servers. Used identifying characteristics of default certificates. Details on identifying characteristics may be found in our paper

Network Measurements Scanned all public IPs on May 7, 2013 using ZMap. Downloaded all X.509 certs from HTTPS servers. Used identifying characteristics of default certificates. Could root all these in parallel in minutes! Details on identifying characteristics may be found in our paper

Defenses For System Operators Never attach your IPMI device directly to the Internet. Use an isolated management network or VLAN. Change default passwords and certificates. Disable IPMI if you don t need it. Unfortunately: we re at the will of the Vendor

Lessons A Culture Clash? Embedded Internet IPMI: hopefully a climax

Lessons

Future Work Analysis of other vendors implementations Dell, HP, Lenovo, Oracle, etc. Firmware update exploitation Can an attacker inject a backdoor that persists? Across BMC reboot? Across BMC flashes? Forever? IPMI honeypot Unclear whether attackers are exploiting these devices in the wild. Some anecdotal evidence of their use as spambots. Are they being used for other malicious purposes?

Conclusions IPMI serves a vital role for system management. Carries elevated risks, potential for powerful attacks. At least some vendors are getting it badly wrong. Farmer is correct: IPMI is a serious concern. Our work: A call to arms.

IPMI: Understanding Your Server s Remote Backdoor Anthony J. Bonkoski abonkosk@umich.edu SUMIT 2013

Zmap Scan Details Vendor SuperMicro Dell HP Identifying Characteristics Subjects containing linda.wu@supermicro.com or doris@aten.com.tw Subject containing idrac Subjects containing CN=ILO and issuers containing ilo3 Default Issuer or Hewlett Packard *Landing pages spot-checked for false positives

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information