Uncategorized

Reversing Intel ME’s ROMP module

Reverse-engineering the Intel Management Engine’s ROMP module
Youness Alaoui, Hardware enablement developer

Last month, while I was waiting for hardware to arrive and undergo troubleshooting, I had some spare time to begin some Intel ME reverse engineering work. First, I need to give some shout out to Igor Skochinsky, a Hex-Rays developer, who had been working on reverse engineering the Intel ME for a while, and who has been very generous in sharing his notes and research on the ME with us, which is going to be a huge help and cut down months of reverse engineering and guesswork. Igor was very helpful in getting me to understand the bits that didn’t make sense to me. The first thing I wanted to try and reverse was the ROMP module. It is one of the two modules that me_cleaner doesn’t remove, and given how small it is (less than 1KB of code+data), I thought it would be a good starting point. Turns out my hunch was right, as I finished reverse engineering that module after only a couple of days.[…]

https://puri.sm/posts/reverse-engineering-the-intel-management-engine-romp-module/

https://github.com/kakaroto/purism-playground

Standard
Uncategorized

Intel AMT story, continued

A little bit more (warning: a few of these are related to Intel ME hardware, not Intel AMT firmware):

Rumor has it that OpenAMT can also be used for AMT detection:
https://sourceforge.net/p/openamt/wiki/Home/

AMT advisory from ASUS:
https://www.asus.com/News/uztEkib4zFMHCn5r

http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-8-2017/

https://community.rapid7.com/community/nexpose/blog/2017/05/11/on-the-lookout-for-intel-amt-cve-2017-5689

http://www.govinfosecurity.com/intels-amt-flaw-worse-than-feared-a-9901

Is Intel’s Management Engine Broken?

 

Standard
Uncategorized

Intel AMT story, continued

https://www.us-cert.gov/ncas/current-activity/2017/05/07/Intel-Firmware-Vulnerability

https://github.com/CerberusSecurity/CVE-2017-5689

https://github.com/chipsec/chipsec/issues/212

https://support.lenovo.com/us/en/product_security/len-14963

http://en.community.dell.com/support-forums/laptop/f/3518/p/20011922/20995860

http://en.community.dell.com/techcenter/extras/m/white_papers/20443914

http://en.community.dell.com/techcenter/extras/m/white_papers/20443937

https://support.hp.com/us-en/document/c05507350

https://community.qualys.com/thread/17263-qids-or-scanning-advice-for-intel-amt-sa-00075

https://www.tenable.com/sc-dashboards/intel-sa-00075-detection

https://www.tenable.com/blog/intel-amt-vulnerability-detection-with-nessus-and-pvs-intel-sa-00075

https://vuldb.com/?id.100794

Intel AMT chip bug suspected backdoor, but likely coding error
[…]Some researchers accused the vulnerability of being a backdoor. Tatu Ylonen, the inventor of the Secure Shell protocol told SC Media Charlie Demerjan, the researcher who spotted the flaw, claims to have been in discussions over bug with Intel for years urging them t to fix it. “If his claim is true (I have no reason to doubt it but have no independent evidence), then it begins to sound very much like a backdoor,” Demerjan said. “I mean, if someone knows their product has a vulnerability that undermines the security of pretty much every enterprise server in the world and most security tools, wouldn’t they want to disclose it to the government, one of their biggest customers?”[…]

https://www.scmagazine.com/intel-amt-flaw-likely-just-coding-error/article/655449/

[…]What is clear, however, is that this flaw (which has existed for more than 9 years) truly is somewhere between nightmarish and apocalyptic. Taking no action is not an option.

http://www.securityweek.com/exploitable-details-intels-apocalyptic-amt-firmware-vulnerability-disclosed

Standard
Uncategorized

Intel ME: based on Minix?

“[…]In addition, when we looked inside the decompressed vfs module, we encountered the strings “FS: bogus child for forking” and “FS: forking on top of in-use child,” which clearly originate from Minix3 code. It would seem that ME 11 is based on the MINIX 3 OS developed by Andrew Tanenbaum :)[…]”

http://blog.ptsecurity.com/2017/04/intel-me-way-of-static-analysis.html

http://www.minix3.org/

 

Standard
Uncategorized

Intel AMT story, continued

https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/

https://downloadcenter.intel.com/download/26755

http://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf

Standard
Uncategorized

more on Intel AMT news

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

http://mjg59.dreamwidth.org/48429.html

Standard
Uncategorized

Intel AMT remotely exploitable since 2008?

Remote security exploit in all 2008+ Intel platforms
Nehalem through Kaby all remotely and locally hackable
May 1, 2017 by Charlie Demerjian
Every Intel platform from Nehalem to Kaby Lake has a remotely exploitable security hole. SemiAccurate has been begging Intel to fix this issue for literally years and it looks like they finally listened. The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.[…]

https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/

 

Standard