Razzor Sharp's video: Intel AMT Vulnerability Exploit CVE-2017-5689 Bypassing Admin Authentication Remotely

*This Video is Solely for Educational Purpose* *The intentions are not to harm any SYSTEM* _________________________________________________________________ Intel-based chipsets come with an embedded technology, called Intel Active Management Technology (AMT), to enhance the ability of IT administrators, allowing them to remotely manage and repair PCs, workstations, and servers of their organization. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset, an administrator can remotely manage a system. The Intel AMT Web Interface works even when the system is turned off, as long as the platform is connected to a line power and a network cable, as it operates independently of the operating system. The Digest authentication completes in the following steps: •Client requests server to initiate login, and in response, the server returns a randomly generated 'nonce' value, the HTTP method, and the requested URI. •Next, the user is prompted to enter his username and password. •Once entered, the client machine sends an encrypted string (referred as user_response)—generated by applying a hash function to the entered username and password, server-supplied nonce value, HTTP method, and the requested URI—to the server. •The server also calculates a similar encrypted string (referred as computed_response) using username and password stored in the database and all the other three values. •The server compares both the strings using the strncmp() function and if they match, it allows the user to log into the Intel AMT Web Interface. The Intel AMT vulnerability resides exactly in the strncmp() function that server uses to compare both encrypted strings. Syntax example: strncmp (string_1, string_2 , length) —where, length parameter defines how many characters needs to be compared. Strncmp() is a binary safe string comparison function that returns a negative, zero, or a positive integer depending upon whether string_1 is greater or less than string_2, and if they are equal, it returns zero. As, it’s obvious, for successful authentication, user_response variable must be equal to computed_response variable; hence the strncmp() function must return a zero value for any length. But, according to the researcher, the programmers who coded this authentication process for Intel platform mistakenly used the length of the user_response variable in strncmp() function, instead of the computed_response variable for response_length parameter. _________________________________________________________________ Subscribe and keep Supporting..... Facebook-https://www.facebook.com/rastogitejaswa Instagram- @tejas_rastogi