SoylentNews is people
SoylentNews
Days after being announced, Tenable reverse engineered the Intel AMT Vulnerability. According to a blog post, the vulnerability is a backdoor dream. The AMT web interface uses HTTP Digest Authentication, which uses MD5. The problem is that partial matches of the hash are also accepted. Therefore, Tenable decided to experiment and while doing so:
[W]e reduced the response hash to one hex digit and authentication still worked. Continuing to dig, we used a NULL/empty response hash (response="" in the HTTP Authorization header).
Authentication still worked. We had discovered a complete bypass of the authentication scheme.
Long story short, for over five years, a complete and trivial bypass of AMT authentication has existed. If this wasn't an intentional backdoor, it is a monumental mistake in security and coding best practices. Regardless, the "backdoor" is now public. With Shodan showing thousands of unpatchable computers (as no patch is currently available, assuming they would ever be patched) exposed to the Internet, some poor IT sod is bound to show up to work some bad news on Monday.
(Score: 2) by The Mighty Buzzard on Sunday May 07 2017, @03:09PM (7 children)
Well, I suppose it could be. To each their own. I can come up with way better backdoor dreams though and nearly none of them would involve an Intel processor in any way.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Sunday May 07 2017, @03:48PM (4 children)
That's because you aren't a true hacker.
(Score: 0) by Anonymous Coward on Sunday May 07 2017, @04:36PM (3 children)
He may have been referring to the booty.
In other news, can someone summarize the fallout of this on an affected machine? As in, does the system need to be powered on and does it allow for arbitrary code delivery and execution, or must the system be online and are the operations restricted to specific management-style activities?
(Score: 2) by choose another one on Sunday May 07 2017, @04:55PM
I think the target system needs to be powered on and online otherwise a consent exception is automatically generated - I could be wrong though, haven't tried.
Payload is likely to be arbitrary but limited in size by the target system, operations restricted but may be less so depending on how the target system is setup (is it constrained or restrained, never can remember...). Either way, operations outside of usual agreed parameters may required retreating to safe distance afterwards and/or engagement of lawyers.
(Score: 0) by Anonymous Coward on Sunday May 07 2017, @07:55PM
He may have been referring to the booty.
https://www.youtube.com/watch?v=xECUrlnXCqk [youtube.com]
(Score: 2) by The Mighty Buzzard on Monday May 08 2017, @01:53AM
If your system is powered on and vulnerable, you are completely and utterly pwned as if the exploiter were sitting there with physical access to the box. Minus the physical bits.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Monday May 08 2017, @12:39AM (1 child)
I don't suppose they involve Natalie Portman and hot grits.
(Score: -1, Flamebait) by Anonymous Coward on Monday May 08 2017, @03:45AM
Natalie Portman
Why did you bring a jewess into the discussion?
I guess that could be because the jews are involved in this invasion of our privacy and the destruction of our freedom and what we build.