1. 34
  1. 15

    Big wow. You’d think with all the hysteria about AMT backdoors somebody would think to try the most obvious backdoor imaginable. “Does an empty password allow login?” All this time and nobody checked that. I mean, this is something I do for all sorts of random websites.

    1. 6

      if I read this right it’s http digest auth hash empty, not empty password. That’s a little bit more complicated, because you can’t just test it with a browser, you have to mess with http headers.

      1. 1

        Good spot.

      2. 1

        First big company to top the Mac Server weakness where it would take any password for admin on one of the services. Code was probably like If NotEmpty (password) Then AccessGranted (). Intel taking it up a notch helping their partners in crime. NOBUS my ass…

      3. 11

        More details here: https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf

        The bug comes down to this line:

        if(strncmp(computed_response, user_response, response_length)) exit(0x99);

        The variable response_length ought to be len(computed_response), but is actually set to len(user_response). This means the AMT will accept any truncation of the authentication hash, including the empty string.

        1. 7

          This inspired a riddle:

          A wicked sorcerer has caught a poor beggar in the act of pilfering from his garden of magical herbs and vegetables. He has the mind to turn the beggar into a snail right then and there, but is also of a sporting nature.

          The sorcerer withdraws from his cloak a small leather pouch, and hands it to the beggar. From the same source he pulls three diamonds, three rubies, three sapphires, and four emeralds, and passes these over to the wide-eyed beggar in turn. Finally, the sorcerer presents the beggar with a challenge:

          “I have in my cloak a second pouch, filled with a selection of precious stones drawn from a collection equivalent to that which you now hold. You may place as many as you wish into your pouch, arranging them inside in whatever manner you prefer, and then turn it over to me. I will repeatedly draw two stones at a time, one from each of the pouches, until I can draw no more. As soon as I draw a mismatched pair, you will become a permanent inhabitant of my garden. Otherwise, you may leave with your freedom and the remaining contents of my pouch in tow.”

          How does the beggar beat the sorcerer’s challenge?

          1. 5

            Oh, I like that.

            The answer is the beggar leaves their pouch empty, the sorc draws 0 stones and turns the beggar loose with all of the gems.

            Presumably, the sorc is so impoverished by this that they go work at Intel.

            1. 2

              That was my first idea. Then I noticed something about what he said:

              “I will repeatedly draw two stones at a time, one from each of the pouches, until I can draw no more. As soon as I draw a mismatched pair”

              He doesn’t say he’ll only draw if you put something in. He says he’ll draw regardless and his bag has something in it. If you put nothing in yours, he’ll pull one out of his and nothing out of yours. First pair is mismatched. Real answer seems to be something along a distraction followed by getting the hell out of there. Alternatively, make up reason to delay answer, steal his pouch, make them identical, put it back on, and then approach him ready for challenge. Of course, this beggar already got busted stealing so he might not have the skill for it. Final move: ask him to look closely at a stone held at about stomach level. When he bends down, Krav Maga begins at the throat, neck, and groin. Then run. Strategy works for us in a place where the wicked conjure up stones of lead followed by brief bursts of fire.

              Note: Last option has double benefit if he isn’t really a sorcerer or beggar grabs the rest of the stuff in his cloak.

              1. 3

                he’ll pull one out of his and nothing out of yours. First pair is mismatched.

                Ah, but the sorc can’t withdraw a No Stone from my pouch–we don’t support the null object pattern. That being the case, the sorc can only have one stone in the hand and that prevents them from having a “pair” of stones. :)

                1. 3

                  Haha. The beggar further turns out to be a failed but knowledeable student of sorcery wearing Rustic clothes. Tells sorcerer divine laws of ownership means he must give up ownership of the stones for the beggar to configure them as he wishes without supervision. This was to prevent situations where sorcerer spends what he no longer has or race conditions that occur after stone-holding beggar spots an open door.

                  Sorcerer recalls prior battles over ownership that started with questionable borrowing. Tells the Rustic beggar to walk out the door. Promises he will get no references in this town acting so inflexible.

                2. 2

                  one from each of the pouches, until I can draw no more

                  I think this means he won’t draw at all if one of the bags is empty.

                  1. 2

                    Ambiguous problem statement leading to undefined behavior. Nice example of why formal specifications catch problems. ;)

          2. 8

            To test it, try this:

            printf 'GET /index.html HTTP/1.0\r\nAuthorization: Digest username="admin", realm="Digest:FFFF0000000000000000000000000000",  nonce="abcdefghijklmnopqrstuvxyzABCDEFG", uri="/index.html", response="", qop=auth, nc=00000001, cnonce="12345678"\r\n\r\n' | nc -v 16992

            Replace with your target IP, this request will result in a 401. Look at the servers “WWW-Authenticate:” header and adopt the values for realm and nonce, try again.

            1. 6


              1. 1

                This is getting way less notice than I expected.

                1. 1

                  If I were AMD or any Intel competitor there is a opportunity competing not just on performance but on trust and ownership. I if I were them I would try to open up their equivalents like AMD Platform Security Processor and enjoy the more savvy crowd recommending their systems.