A paper on IPMI and BMC security:
ipmi: freight train to hell, plain HTML or dangerous PDF (bloated director’s cut; HTML was generated from word and edited down.)
- or -
ipmi: express train to hell, in HTML or PDF (1 page, G-rated version.)
The 2nd link is the express/single page/reader’s digest version, which has various generalities that I try to fully explain in the paper or supporting documents. Added bonus: if you buy now you’ll get free additional supporting materials along with a razor sharp virtual Ginsu knife!
Note – I’ve heard a LOT of people dismiss all this and claim that all you need to do is to secure your IPMI/BMC’s is to ensure that their network interfaces are on their own network and be careful about that critical password. This is simply incorrect. If you haven’t read the paper or heard the arguments within you might read it to find out why I belive you’re dead wrong (and if you still disagree drop me a line and tell me!) Note that any with server admin access can manage the IPMI network settings of its BMC without authentiation, attack the BMC, compromise it, and then pivot through to attack the management network.
Note #2. As if all the above weren’t enough, I just found out that the infamous Cipher Zero (0) is enabled by default on all my systems… this allows anyone to authenticate to the BMC with any password you choose (even you manage to guess the correct one, that still works.) fascinating stuff.
The website remote.bergcloud.com is used to communicate with the Little Printer; set up print subscriptions, send messages to the printer, give friends permission to send messages, and so on. I discovered an authentication/authorization bypass issue on this site which allows an owner of a Little Printer, as well as any user who has been authorized to print messages to at least one Little Printer, to print messages to any of the Little Printers out there – without prior authorization from the owners.
The HTTP POST which is sent when you message the Little Printer contains the following payload:
The field message[bot_id] contains the ID of the Little Printer, which is a sequential numeric identifier. Changing the ID allows a user to send a message to another Little Printer without being authorized by the owner. The user is also able to print messages without authenticity_token present in the payload.
After printing a message, the site will normally display a box saying Message sent. When printing to another Little Printer, without really having permission to do so, the site displays an error and it seems like printing was not successful. However, that’s not the case.
The Pwn Pad – a commercial grade penetration testing tablet which provides professionals an unprecedented ease of use in evaluating wired and wireless networks. The sleek form factor of the Pwn Pad makes it an ideal product choice when on the road or conducting a company or agency walk-through. This highspeed, lightweight device, featuring extended battery life and 7” of screen real estate offers pentesters an alternative never known before.
HT Rohan Pinto
Alec: “No, I’m not a libertarian. I’m from the Internet. I’m here to help.”
Hat tip to Gilberto Persico for this:
In a blog post last month I looked at how a Raspberry Pi can be used to emulate a formidable IBM mainframe, and in this post I describe how a pair can be used to emulate VAX computers which can then be configured to form a VMScluster.
The MicroVAX 3900 hardware being emulated this time is a little more modern and somewhat smaller than the IBM 4381 processor, but the VAX architecture and OpenVMS operating system are no less impressive. On introduction in 1989 an entry level MicroVAX 3900 would have set you back over $120,000 and, as with IBM’s VM operating system, you’d be mistaken if you thought that OpenVMS was dead and buried as it runs many mission critical workloads today.
Emulation of the VAX hardware has been made possible by a pretty amazing piece of software called SimH. In order to be able to run OpenVMS on this a licence is required, but fortunately these are available free of charge via the OpenVMS Hobbyist programme.
The SimH software is configured to emulate a MicroVAX 3900 with 64Mb of memory, 1.5Gb disk and a CD-ROM drive. An ISO file containing an image of the OpenVMS installation media is attached to the virtual CD-ROM drive and the emulator is booted. The steps to install the software are reasonably simple and the image below shows part of the installation process.