alt3rn1ty

Intel Management Engine Exploit

8 posts in this topic

Anyone reading this, study it a bit more than you would usually - If this is not your kind of thing .. Still study it.

The more you understand about this problem the more your jaw will drop.

First do a google search for "Intel Management Engine Exploit"

Now you are not just taking my word for it - Have a listen to the Security Now video episode 611 (go to time 13:15 just after the Cloudflare ad blab)

 

Summary : Imagine if Intel had put an extra chip on all motherboards for a few years, and kept the use of them / capabilities secret. And this little engine could be remotely connected to without your knowledge, or the OS that is installed, or no matter what state the machine was in (though it would need power, but the machine could be off/standby). It also does not matter what OS the machine is running, so even a Linux machine could be taken over.

There is nothing you can do about the chip on your motherboard (apart from buy another machine and hope it hasn't got one in future), but there are some steps can be taken to close down the service on your machine which I think is what enables the remote exploit of your machine, hooking an attacker up with your machines secret little addition, and giving them complete ownership of your machine, and you will clueless about what they are doing.

I just went through the procedure Disabling Intel AMT, and even though I found only one of them had the dedicated driver setup (if you have any Drivers with Intel ME in the name of the driver, you probably want to uninstall that too), all four of our laptops in the house had the AMT services running quietly in the background

See also the SN Show Notes PDF https://www.grc.com/sn/SN-611-Notes.pdf

 

But if nothing else, have a look over Disabling Intel AMT on Windows

Note the first command you run (ACUConfig.exe UnConfigure) can take a while to complete, be patient, the command prompt will come back when its done.

This is one badass exploit, if you dont feel comfortable with some of the commands and "navigating" in a command prompt, get the family geek

I dont think Microsoft Windows Updates will be able to do anything about it, because its Intel Hardware, unless windows / linux specifically can target and nobble the software and services installed ?

The Security Now podcast mentions a BIOS update on a few occasions .. But I cant see a BIOS update being able to update this firmware .. Because its a different chip .. Maybe he means something similar to a BIOS update thats fed to all machines out there via official updates, or Intel just remotely controls everyones machines to do it if thats possible, who knows.

Its certainly going to be a tough problem to solve for everyone who has not read such articles

 

Anyway, you now have as much information as I, follow the links and read, I cant explain it any better or offer advice on what you do with your machine. Some of the above may be inaccurate at this time so watch out for updates to linked info.

One other thing to be wary of - Typically laptops (and even desktops) may have their own software which keeps your drivers up to date automagically (well until the machine is no longer supported and your machine silently and slowly goes more and more out of date and you didnt know) .. Would such software notice you have disabled any installed Intel Management Engine services and software, and re-install it for you .... :(

Share this post


Link to post
Share on other sites

@Alt: Thanks for the heads up.

From the show notes:

Quote

So we searched and found a software package for installing LMS on Dell's website. After LMS was installed, we were able to configure/provision AMT on the computer, giving us access to AMT via the web interface.
 
So... in other words, AMT could not be accessed by Intel's tool from within Windows without the interfacing LMS service present and running.
 
The Intel Management Engine / AMT ports:
 
● 16992: Intel AMT HTTP Used for WS-Management (Web Services Management) messages to and from Intel AMT. This port is open over the network only when Intel AMT is configured or during the configuration process. Starting with Release 6.0, the port is optionally open when TLS is enabled. The port is always open locally. (But may NOT be open to the Network.)
 
● 16993: Intel AMT HTTPS Used for WS-Management messages to and from Intel AMT when TLS is enabled.
 
● 16994: Intel AMT Redirection/TCP Used for redirection traffic (SOL, Storage Redirection, and KVM using Intel AMT
authentication). Enabling the redirection listener enables this port. ● 16995: Intel AMT Redirection/TLS Used for redirection traffic (SOL, Storage Redirection, and KVM using Intel AMT authentication) when TLS is enabled. Enabling the redirection listener enables this port.
 
● 623: ASF Remote Management and Control Protocol (ASF-RMCP) Used for RMCP pings. This port is a standard DMTF port and accepts WS-Management traffic. It is always enabled.
 
● 664: DMTF out-of-band secure web services management protocol ASF Secure Remote Management and Control Protocol (ASF-RMCP) Used for secure RMCP pings. This port is a standard DMTF port and accepts secure WS-Management traffic. It is always enabled.
 
● 5900: VNC (Virtual Network Computing) - remote control program Used for KVM viewers that do not use Intel AMT authentication but use the standard VNC port instead. See Working with Port 5900 and Changing the Default KVM Port Setting.

and

Quote

What could an attacker could do after gaining an access to the AMT services?
 
Intel AMT provides the ability to remotely control the computer system even if it’s powered off while electrically connected to power and the network.
 
Also, Intel AMT is completely independent of OS installed on the computer system. This technology allows OSes to be remotely deleted or reinstalled and there are a number of possible attacks:
 
KVM (remote control of mouse keyboard and monitor) can be used to remotely perform any common physical actions (with mouse, keyboard) that would be done physically at the computer. So any program could be remotely loaded and executed and any files read or written.
 
IDE-R (IDE Redirection) allows the boot device to be remotely changed to another device or to a virtual drive image sourced locally or remotely.
 
SOL (Serial over LAN) allows remote control of power, reboot, reset and more. The BIOS settings can also be accessed and modified.
 

Feeling better now? As Anthony Quail used to say on the Evil Touch:

Pleasant Dreams!

 

Share this post


Link to post
Share on other sites

Yep I thought other people would be interested in knowing about this beauty. I think once the service is stopped ( and disables access to the chip and its functions ), and if your machine is sat behind a NAT Firewall which most home routers have these days, its not easily ping'able from the web. So doing those disable commands should do the trick.

I wonder if an ISP provided router (which can see individual machines within a household), would allow an ISP at the request of government to access specific machines via this hardware. Glad I bought my own router, and bypass the ISP forced DNS servers (their routers do not allow you to specify your own DNS servers) which British Telecom does to all of its customers.

I reckon it wont be long though before malware and already bot leveraged ownership of peoples machines will be making even more use of this hardware now the cats out of the bag, all they need to do is reverse engineer the Intel ME driver software, learn its hooks and install self to this hardware and you have one (probably impossible to remove) hell of a rootkit, "sob is dug in like an alabama tick".

Share this post


Link to post
Share on other sites

I feel so much better now about running that separate firewall which allows nothing to get through it either way unless I specify it as allowed. Every connection in my house goes through it. Yeah, it has been a huge PITA over the years to configure because nothing has worked out off the box, but this reminded me of its advantages.

Share this post


Link to post
Share on other sites
4 hours ago, NightStar said:

I feel so much better now about running that separate firewall which allows nothing to get through it either way unless I specify it as allowed. Every connection in my house goes through it. Yeah, it has been a huge PITA over the years to configure because nothing has worked out off the box, but this reminded me of its advantages.

Just a thought .. Is that a Linux box with its own PC motherboard (possibly with its own ME chip) and maybe running an Intel ME service ?

Linked from the "Disabling Intel AMT" link is a tweet that Intel are working on a Linux Guide, but its not up yet https://mobile.twitter.com/IntelSupport/status/859437569368567811

Something to watch for if there are any concerns

Share this post


Link to post
Share on other sites

Yes, it's a linux box with its own motherboard, but it's not Intel. It's something a lot rarer.

Share this post


Link to post
Share on other sites

Meanwhile, on AMD systems.... sitting in the corner giggling about this latest bug we don't have :troll:

Share this post


Link to post
Share on other sites

I think AMD have something similar, but given that Intel systems make up a bigger target, it's probably less likely to be exploited.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now