The 2014 Pwnie Nominee For Best Server-Side Bug

IPMI: Sold Down the River

Credit: Dan Farmer

Who needs DROPMIRE, FEEDTROUGH, or a state intelligence agency budget to backdoor production servers when over 250,000 servers expose their IPMI interface to the internet, with an innumerable number of internally exposed servers, including products from vendors such as IBM, Dell, HP, and Supermicro. Ironically, Dan Farmer started his dismemberment of the IPMI specification as part of a DARPA Cyber Fast Track (CFT) project in 2012, but his original publication in 2013 was generally overlooked, and it wasn’t until internet-wide scans confirmed what he suspected; hundreds of thousands of servers, which could otherwise be secure, were exposing their IPMI out-of-band management interface to the world. This kicked off a feeding frenzy of vulnerability research, leading to the discovery of numerous additional vulnerabilities in specific vendor implementations of the IPMI protocol.

Supermicro was by far the most exposed, with over 30,000 systems trivallly rootable, via a vulnerable UPnP library, numerous stack overflows in their web interface, and exposure of the clear-text administrative password of the device through a publicly accessible URL. IPMI, as both a standard and a typical implementation, has effectively become a persistent hardware backdoor across millions of deployed systems. The older version of the remote protocol (1.5) supports “null” authentication, while a large portion of new implementations (2.0) support “Cipher Zero”, which also provides unauthenticated access as the user of your choice. Finally, baked into the IPMI protocol specification itself is an authentication protocol that will send you the unsalted MD5 hash of a given user’s password during the challenge response phase. Although Dan was not responsible for all of the results, he certainly deserves credit for identifying design-level vulnerabilities in a commonly deployed out-of-band management interface, and jumpstarting efforts from a half-dozen other researchers. His latest research, “Sold Down the River” estimates that over 90% of exposed IPMI interfaces could be compromised through known protocol weaknesses and misconfigurations alone. IPMI is dead. Long live IPMI (exploits).

IPMI: Sold Down the River