Slashdot Mirror
Intel's Remote Hijacking Flaw Was 'Worse Than Anyone Thought' (arstechnica.com)
An anonymous reader quotes Ars Technica:
A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday... AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access [and] was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering any text string -- or no text at all...
"Authentication still worked" even when the wrong hash was entered, Tenable Director of Reverse Engineering Carlos Perez wrote. "We had discovered a complete bypass of the authentication scheme." A separate technical analysis from Embedi, the security firm Intel credited with first disclosing the vulnerability, arrived at the same conclusion... Making matters worse, unauthorized accesses typically aren't logged by the PC because AMT has direct access to the computer's network hardware... The packets bypass the OS completely.
The article adds that Intel officials "said they expect PC makers to release a patch next week." And in the meantime? "Intel is urging customers to download and run this discovery tool to diagnose potentially vulnerable computers."
Saturday Ars Technica found more than 8,500 systems with an AMT interface exposed to the internet using the Shodan search engine -- over 2,000 in the United States -- adding that "many others may be accessible via organizational networks."
"Authentication still worked" even when the wrong hash was entered, Tenable Director of Reverse Engineering Carlos Perez wrote. "We had discovered a complete bypass of the authentication scheme." A separate technical analysis from Embedi, the security firm Intel credited with first disclosing the vulnerability, arrived at the same conclusion... Making matters worse, unauthorized accesses typically aren't logged by the PC because AMT has direct access to the computer's network hardware... The packets bypass the OS completely.
The article adds that Intel officials "said they expect PC makers to release a patch next week." And in the meantime? "Intel is urging customers to download and run this discovery tool to diagnose potentially vulnerable computers."
Saturday Ars Technica found more than 8,500 systems with an AMT interface exposed to the internet using the Shodan search engine -- over 2,000 in the United States -- adding that "many others may be accessible via organizational networks."
"Authentication still worked" even when the wrong hash was entered, Tenable Director of Reverse Engineering Carlos Perez wrote.
He and I have different definitions for the word "worked".
It must have been something you assimilated. . . .
Putting Internet accessible code running over the operating system was a terrible idea and this is the predictable outcome.The implementation was totally brain dead and wasn't even tested beyond "works in correct usage cases." This is the reason projects like Libreboot exist.
This is unlikely to be a deliberate backdoor, it's much more likely the result of a mistake. However, if you aren't going to buy anything that has had a remote code exec vuln, you should probably consider using pen and paper, exclusively!
(What? I get that security is hard and that sometimes there are unforeseen vulnerabilities. But... you can enter any text as the password, and it accepts it? Did no one at Intel test a wrong password at any point? This isn't a bug, this is outright negligence.)
The article is a bit confusing regarding this, but no, you can't send an empty password. That's because when a browser does digest authentication it doesn't actually send the password, or even a password hash, to the web server.
The browser sends instead a response MD5 hash computed on a string composed of various items, including a variable nonce sent by the server, in addition to the password, for example:
response=MD5(MD5(username:realm:password):nonce:MD5(method:digestURI)) ... entication
https://en.wikipedia.org/wiki/Digest_ac
This means a normal browser would never send an empty response, even when you enter an empty password. It would always send a 32 hex digit MD5 hash looking like this:
response="6629fae49393a05397450978507c4ef1"
The server would then compute the same hash, and compare them. If they are equal, it allows login, if they are different it denies login.
The bug was in the code to compare the two strings. It used the strncmp function that compares the first N characters of two strings:
strncmp(string1, string2, N)
http://www.cplusplus.com/reference/cstring/strncmp/
And applied it to the computed hash and the hash response received from the browser, with N set to the length of the response received from the browser, so something like:
strncmp(computed_hash, response, strlen(response))
So when it compared a real hash generated by a browser it would do something like:
strncmp("6629fae49393a05397450978507c4ef1","d3d4914a43454b159a3fa6f5a91d801d", 32)
This would work just fine for hashes sent by the browser, which are always 32 characters in length. Even if the password field is empty, it would compare the two strings, they wouldn't match, and it would reject the empty password or invalid password.
So anyone testing this from a browser would find it works perfectly.
The problem is what happens if you don't use a browser, but you generate an invalid request manually or using a proxy to alter the response, sending an empty string instead of the 32 character hash. Then the compare code does this:
strncmp("6629fae49393a05397450978507c4ef1","",0)
This means the function will compare the first 0 characters between the two strings. So it is equivalent to:
strncmp("","",0)
Of course, two 0 length strings are equal, so it wrongfully concludes the hashes are equal.
What the programmer should have done is check if the hash coming from the browser has the correct length, 32 characters, before attempting to compare the two strings.
Or even better, the programmer should have used the proper string comparing function, strcmp, that already does that for you and you don't need to supply a length parameter, like this:
strcmp(string1, string2)
http://www.cplusplus.com/reference/cstring/strcmp/
When companies will bear responsibility for flaws in such features, as AMT encrypted and obfuscated from 3rd party analysis and management, and enabled by default, and for such screw ups they will pay hefty fines, they will think twice, before making features work such way.
see e.g. https://hardware.slashdot.org/story/15/01/29/2241214/fsf-endorsed-libreboot-x200-laptop-comes-with-intels-amt-removed
Moneyquote:
But hey, the FSF and Stallman are just overreacting hippies right? RIGHT?
You know, a really well-crafted backdoor will look exactly like this. When they are found out they can still say "Oops! My bad" then.
Russian and Chinese government agencies have been passively or actively promoting the development of a domestic semiconductor industry.
Err... no?
systemd is Roko's Basilisk.
Any way to disable this in Linux?
It is time to finally star holding engineers criminally and civilly liable, ...
Force them to chose between risking jail for a bug or being fired for not following the Pointy Haired Boss' instructions to skip the tetsting and get the damn thing delivered?
What a great idea. Put most of the engineers who would actually do what you want out of work and leave the field to those to dumb to notice or too psychopathic to care.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Interesting info, APK.
I have a Q170 chipset board at home and it's supposedly vulnerable, but I like having the ability to remotely control my PC (Server) from bootup to bios to Windows. If it's on a home network behind a firewall, this shouldn't matter.
This is what all backdoors look like. "Ooops, we accidently encrypt and decrypt the password and write it out at the end of the file". "Whoops, we missed out a break statement in the selection of the encryption algorithm, it always defaults to the legacy easily broken encryption method". "Oh, shooot, we forget to add the menu option to the router to filter out multicasts, anyone can send a SSDP multicast to that address and get a list of hosts returned."
Like Microsoft's Windows OS firewall doesn't allow blocking of Microsoft telemetry servers. Wonder why? What could be so harmful in blocking a data stream of a few hundred bytes/second?
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
No, Intel AMT runs completely independently of the operating system. It doesn't matter whether the operating system is Windows, Linux, BSD, or anything else.
In fact, it's even worse. Intel AMT can still be running while the computer is off (but still plugged in). See
https://fsf.org/blogs/community/active-management-technology
Let me say it again: your computer can be pwned while it's off! You don't need to have anything running at all, because Intel AMT keeps running in the background as long as the machine is plugged in.
I think you miss the point. It runs at the most basic hardware level, if it's enabled and supported by your motherboard. Having to install extra software to enable it suggests your motherboard does not directly support it, so this test is meaningless. It does not require additional software to work....
" AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access [and] was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering any text string -- or no text at all..."
I find it hard, very very hard, to believe that this was an accident or just the result of stupid coding. This was either deliberate or was some carefully planned subversion somewhere along the tool chain.
Just cruising through this digital world at 33 1/3 rpm...
In case you were wondering, AMT allows you to access the screen, keyboard, and mouse of your machine through VNC as if you had a network KVM on that machine. It seems to use the VNC protocol even. Network KVMs are expensive specialty items, and something like AMT is a cleaner, simpler way of accomplishing the same thing.
It's a shame Intel messed up and gave this feature a bad name. I hope they'll fix the problems and/or other motherboard makers will come out with a safer and improved version of it.
However, if you aren't going to buy anything that has had a remote code exec vuln, you should probably consider using pen and paper, exclusively!
Uh, a computer with no OS installed should never have a vulnerability. Ever.
It's not a hard thing to do, there are plenty of models that have succeeded, even from crappy companies like Compaq.
If you're going to release something that allows hackers to have ultimate, undetectable control over the computer, you better give it a security audit. All indications are that Intel does not have proper security processes for their systems. This is just one example.
"First they came for the slanderers and i said nothing."
Now one wonders what great "security features" Intel has places in their network cards, chipsets and CPUs. This really is on the most stupid level possible. They cannot even have done an internal review of this code that deserves the name before putting it into production.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The employers aren't currently held responsible either.
The problem is that the developers have no power over management to make them do the right thing. Unless and until they do, it isn't reasonable to hold them responsible. They can't make their employer do QA tests, they can't make the employer push the schedule back, and they can't prevent the premature release of a product.
One of our devices comes with control port open; you can enter commands and they will be executed according to your privileges. Besides "login" very few commands should work for the default user... except external software interacting with the device still doesn't support logging in, so the default privileges are set to maximum. You can still log in... to lower your privileges.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
You've clearly got some hackneyed version of it as it runs without drivers on supporting hardware. Sounds like you've got some sort of winmodem-style version of this. Read the summary...
Indeed.
This is yet another security bug produced directly by the archaic C programming language. If this had been any other language the bug wold not have happened, despite the incompetent programmer. Null terminated strings! Wild pointer usage!
C is evil.
This much more common mistake than one might think. A *lot* of applications will accept an empty password. It's one of the more common of the 90,000 or so vulnerabilities that we test for.
Programmers get so focused on making things work, 95% of the testing they do is geared toward that, toward doing whatever is supposed be used for, given correct input. They forget to test the negative - what does it do with incorrect input? If a program retrieves a web page, what if it's empty? What does a searching or sorting program do when asked to aort or search an empty list, or a list of just one item? That stuff doesn't get tested much.
strncpy is just broken. Period.
It should complain if there is no null termination in the first string. The code should work, it just does not work around the bug in strncpy.
Very much like strncpy not adding a null if it is N long.
Lots of C grade rubbish that we still live with.
Active Management Technology... it sounds so much like ActiveX, and equally porous it would seem.
When all you have is a hammer, every problem starts to look like a thumb.
and
So a remote exploit could just consist of power cycling to boot from a external boot image. Only OS requests are sent to the OS, everything else is supposed to be caught at the hardware level.
We succumb to the overlords when we use proprietary software!
If you blocked them internally, your LAN was never vulnerable so I'm not quite sure what your point was. This is mainly aimed at the (relatively) small set of servers that may have these features in hardware and enabled, not home users. All you've showed was that you managed to enable a software based version of the vulnerability and then disable it in software.
The Discovery Tool from Intel is a Windows executable. So how about the rest of us, Intel? Are our Intel CPUs vulnerable?
I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon
Context matters. If I recall correctly, I go on to point out that no matter how good your work may or may not be, your toxic personality makes everything you touch toxic as well. Sort of like a serial killer chef who makes the most wonderful of soufflé... which just so happens to be lethal within an hour of consumption.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Perhaps I wasn't clear. I mean internal port blocking at a switch level. Hardening windows will do nothing against the exploit proper. Blocking these ports at a hardware level is a mitagation until the firmware is patched.
Yes, secure for decades by the virtue that the processor predates the features(2008ish).
The Intel-recommended "mitigation" until the patch is released involves "Unprovisioning clients". What the ___ does that mean? They provide software to do it, but what exactly are the effects? (And yes, I did a web search, but it was unenlightening.) There is a wikipedia article here
https://en.wikipedia.org/wiki/...
on "provisioning", but it talks about seven different kinds of provisioning, and it's not clear which one the Intel doc is talking about. Nor is it clear from reading that article what the effects of UNprovisioning would be. Loss of ability to go on the web? Inability to download antivirus updates? Is it reversible, when the fix from Intel comes out? (and if a computer is "unprovisioned", can you even get the fix from Intel when it comes out?)
When I was looking at buying a Dell or HP laptop a couple years ago, they both gave me the choice of disabling vPro. AMT is a subset of vPro. So you could disable it if you wanted. Not sure why anyone would choose to have it enabled. And from what I've read, if you have them disable vPro at the factory, it's not possible to enable it later.
Literally avoiding the issue that you weren't vulnerable anyway until you installed some other software. Perhaps you should have blocked the Intel site with some sort of hosts file?
This is what all backdoors look like.
And perfectly executed assassinations look like accidents, but it's still more likely that grandpa just had a heart-attack.
The point -- as to whether it's likely -- stands.
Trust also matters and a security "professional" who stabs someone in the back after supposedly reaching an understanding (the way you did me) is not trustrowthy. Neither is their software.
You may be winning in your own mind, but when you do so by violating trust you're destroying your own brand. Security is a trust-based market and nobody trusts you.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Programmers are not considered "professionals" by standard bodies. They do not have the power or responsibility to reject or overrule management. If management wants to cut corners, reduce testing, end run around process etc. Then there is basically nothing they can do about it other than quit.
To make programmers liable would result in a massive change in the industry. With the most noticeable impact being a dramatic increase in TTM and a massive blowout in costs. The industrial lobby would never allow this to happen. Nations that do not subscribe to these responsibility requirements will almost instantly become the new IT super shops.
By making the company and not the developer liable you enable countries to actually have an IT industry.
Civil engineering must occur in each nation. Software development does not. This simple fact makes liability very difficult to implement. Second reason is the calculation of damages. With civil engineering the cost of a problem is relatively easy to calculate. In IT systems where most companies hide the impact of a fault the ability to calculate impact cost is near impossible. Thus to compare civil eng with software dev is not a good comparison.
Why don't we just quote the entire post ? That gives a lot mofe context regarding what lead up to that comment, as well as what followed
Such a "trustworthy" guy you are, no? The thread that comment came from, and what your troll brigade did to my karma immediately following it (which I recovered from in less than a week, mind you, because people seem to actually like having me here for whatever reason), really bear out how much trust you and your software deserve.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
That's a good question. Perhaps, if you managed to create an environment where tests are expected and used in useful way, one could add an expectation to have an equal number of "not" tests, of tests showing what happens when input is not good, that the software does not do things when it shouldn't. That may get developers more into that frame of mind. The famous "goto fail" might have been avoided.
Mature software development includes peer review followed by QA testing. Perhaps mature software development should include security review and security testing. Just as you do peer review, have a security-focused person look over the code and run a test. Not just to catch issues, though it'll do that, but so the feedback helps developers think about those types of issues in the future.
A query of the Shodan security search engine found over 8,500 systems with the AMT interface exposed to the Internet, with over 2,000 in the United States alone.
Given the gazillions of computers on the Internet, that number is extremely small.
How is the RISC-V platform in performance? Aside from the potential option of tossing 16 cores into a CPU? That, or the OpenRISC CPU - either of them should be able to satisfy one's requirement. Port FreeBSD onto that, and one has a solution
You say 1 thing quoted above & now something else
Actually, as supported by evidence (e.g. the post you quoted, which I linked to), the "something else" you're claiming I'm just now saying was said in the very same post you are quoting out of context. That was my entire point.
Reading through that conversation again did remind me of something, though. I shouldn't be speaking with the dead so, good day, sir. Enjoy the afterlife.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
such a complete exploit, it seems more like it was put there deliberately for the government to access...
it makes no sense such exploit could come about by accident.
obamasweapon.com
Agreed, it's pointless blaming the developers when they are not the ones calling the shots. I have worked at a couple companies where the deadline for release was set in stone, regardless of ANYTHING else. The project went live and our currency ended up taking a bit of a dip because of the fvck up it caused on the stock exchange (and no, I was not part of THAT project thank god!). Also programming is NOT the same as engineering. Most engineering projects are planned WAY WAY better than 99.999% if I.T. projects, which makes it easier to hit the dead line etc. Now I am not an engineer (well, I was studying for it many moons ago, but I got sidetracked into software) so I may stand corrected, but I am pretty sure most engineering tasks don't hit a snag and grind progress down to a crawl. Look I am sure there are exceptions, but I have encountered weird ass bugs that take forever to hunt down, that was not part of the original project plan!
There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
You've wasted your time with apk. He's never had a technical conversation, it's all fucking non-related hosts bullshit. He makes up a lot of shit. He really should have more supervision.
I had had a few beers and wanted to see how far he'd argue his nonsense :D
Perhaps more to the point, employers aren't willing to pay for the planning stage. It's even worse for contract programming where they want a time table and a firm price before they've even hired you. There's no way that what should be 50 to 90 percent of the total project is going to be done for free up front and not get corners cut. If you add in enough fudge factor to get the planning in after signing, someone will inevitably undercut your bid and do a crap job of planning.