Intel opens the back door
Want to hear about one of the sloppiest coding errors ever and that could open up the Internet to intruders? Let's start with a bit of testing in the lab ...
"Okay ... have you tested for the correct login password?", ... "Yes!",
"Have you tested for an incorrect login password?", ... "Yes!",
"And did you test for a blank login password, where you don't put anything in?", "Oh, no!"
No ... it's not April Fools Day!
Intel support a browser-based service which allows administrators to control the operation of computers - known as Active Management Technology. But now it has been discovered that intruders can gain full control of PCs with requiring a password. The access even affects computers which are switched-off, and where the intruder just enters a blank password into the Web console [here].
A run of Shodan on port 16992 shows that there are currently over 8,000 computers on the Internet which running the Active Management Technology:
The bug has been around since 2010, only just publicly announced, with many of the large computer vendors are rushing to patch their computers:
As with many vulnerabilities, it is the incorrect usage of strings in C++ that has caused the problem. For this the researchers reversed engineered the firmware and found the usage of the statement:
if(strncmp(computed_response, user_response, response_length)) exit(0x99);
and where computing_response (the correct password) is compared with the user_response, and if they do not match the program will exit. The response_length is then the number of characters to compare, and is set to the length of the user_response.
But ... and this is completely laughable ... what happens when the response is zero bytes (""), then response_length is ZERO!!!! and the comparison will always be true?
This is a string compare, so a zero length string will always cause the statement to be true. What should have happened is we should have compared the hash (or digest) of the two values, as this will always be a fixed length string!
Let's take an example of:
int main()
{
char user_input[100] ="hello";
char correct_input[100] ="goodbye";
char ch;
if (strncmp (user_input,correct_input,strlen(user_input)) == 0)
{
printf ("The same");
}
else printf ("Not the same");
scanf("%c", &ch);
return 0;
}
If we have an input where:
char user_input[100] ="";
will give us a string match:
I would not expect this from our first year students!!!!!
Go back to school Intel!
Thomas innovates, designs, builds, and manages high tech solutions.
7 å¹´Hey Intel, want to talk now?
Business&Corporate Risk Engineer at GENERALI ITALIA SPA
7 å¹´Oooppps....what a mess dear Intel :-)
Oops...
Enterprise Architect : Requirements Engineer : Systems Integration : Knowledge Operations : Solutions Consultant
7 å¹´indeed Professor William Buchanan, "Go back to school Intel!"