Gregory's Serverfun fact: if you have a laptop or desktop that has an intel cpu with "vPro" on the sticker there's a chance the management engine in your CPU is just hosting a web server at all times.
It's at port 16992
|
76 comments
 @i_lost_my_bagel integrated remote KVM functionality from boot seems like an amazing idea until https://mjg59.dreamwidth.org/48429.html (It's still a pretty cool idea for embedded or remote units tbh) @HauntedOwlbear yeah... I will say though. I used this laptop as a server for a bit and it was so so useful. @i_lost_my_bagel haha, I just edited to add a similar sentiment. Full remote access, just built in, with no extra hardware or licence is p great.)  @HauntedOwlbear @i_lost_my_bagel It's perfectly fine if all of it works on Free Software and that you can reasonably update it to keep up with security.
Like a PiKVM. Intel's garbage failed on all accounts. @i_lost_my_bagel how the hell does that work in the OS? localhost should be handled by the OS, right? so how would that work @Sqaaakoi @i_lost_my_bagel Management Engine is essentially an entire OS (Minix) running /on/ the CPU. So pretty much every computer out there is running two OSes at all times. @samebchase @i_lost_my_bagel Not what I asked. (I already knew what it was.) I am wondering how it manages to expose ports on the main system OS' localhost. @Sqaaakoi @i_lost_my_bagel ah right, sorry I must have misinterpreted what you were asking and assumed that you were not aware of IME. My apologies. Now, even I am wondering the same thing... 🤔  @samebchase @Sqaaakoi @i_lost_my_bagel ME is inspecting your traffic before it's handed to the OS, and if it sees TCP ports that it uses, it processes that. You can give ME a different IP address from what the OS uses, but by default it just shares the IP. @jernej__s @samebchase @Sqaaakoi @i_lost_my_bagel But localhost traffic never hits the bus; it’s entirely in memory via the loopback device. Is the idea here that IME is hijacking the loopback driver functions somehow? Or is that port actually exposed on localhost by some Windows vPro driver? @overhacked @jernej__s @samebchase @Sqaaakoi there's a windows driver that exposes it on localhost. Without a driver you can't access it on the local machine. Booted up macOS on the laptop since I know it has absolutely no AMT drivers and I couldn't access it. I can still access it from other computers though so it's still running. @overhacked @jernej__s @samebchase @Sqaaakoi surprisingly macOS CAN see the virtual serial connection which I definitely wasn't expecting @overhacked @jernej__s @samebchase @Sqaaakoi surprised the serial over lan actually works with macOS  @Sqaaakoi@wetdry.world @samebchase@fantastic.earth @i_lost_my_bagel@mastodon.lilysthings.org It doesn't. It uses the NIC directly (vPro devices have Intel NICs), none of this traffic will ever reach the main OS. It's entirely handled by the coprocessor. @Sqaaakoi@wetdry.world @samebchase@fantastic.earth @i_lost_my_bagel@mastodon.lilysthings.org However, loopback still uses the same NIC, so you can access it regardless. @novenary@akko.wtf @Sqaaakoi@wetdry.world @i_lost_my_bagel@mastodon.lilysthings.org @samebchase@fantastic.earth I may be stupid. :spinny_fox:   @i_lost_my_bagel At least it greatly increases Minix userbase (Intel ME still is based on Minix, no?)  @i_lost_my_bagel Modern Intel CPUs are so huge that they could fit an entire 486 SoC running Minix on there and it’s effectively a rounding error. Makes you wonder if there’s anything else there we don’t know about.  @i_lost_my_bagel@mastodon.lilysthings.org can you just not use the port for your own stuff then?  @i_lost_my_bagel I am aware that the Intel Wifi cards can be sold in vPro and non-vPro variants, I wonder if this makes any difference? @i_lost_my_bagel So, would this apply to devices not running Windows, or devices which do not have the Intel Management Engine software installed?  @i_lost_my_bagel how is this working? I would expect your OS's network stack would short circuit the connection to 127.0.0.1 before it hit anything that AMT could easily see  @i_lost_my_bagel@mastodon.lilysthings.org its when i discovered the CUPS linux pritner thing had a http server It won't keep AMT from running. It is independent of any OS you control. ME and AMT are stored on the BIOS chip, in 2760p it's 8MiB (~5MB ME+AMT, ~3MB BIOS). In my opinion, whether it's reachable at localhost is irrelevant. I'm more afraid of remote accesses. The ME coprocessor has unrestricted access to all memory and other hardware. NICs too, it can have its own MAC address as well). Luckily there's a solution: It'll remove all AMT code permanently, shrinking your ME firmware to under 100kB (just what's necessary to disable a watchdog timer). Btw, there's also coreboot available for that elitebook, in case you want to get rid of the HP BIOS entirely :) @riku @i_lost_my_bagel Okay... I get that localhost based services are of little use remotely. So, how would (1) anyone remotely access IME or (2) IME send any data to a remote location on its own? @jmhorner @riku the localhost part is just a small web interface that does nothing but tell you some system status. It can't do anything useful. You can use https://github.com/Ylianst/MeshCommander to connect to it from another computer and access all the fun stuff. @jmhorner @i_lost_my_bagel By sending/receiving packets to an Intel network card on that machine. ME coprocessor has access to those, and can configure them how it wishes. yeah, this has been widely known and criticised ever since intel first introduced it. clearly not widely enough, if users still don't know about it. those version numbers refer to specific chipset generations btw, since the ime is inside the pch. so 6.0 is ibex peak, not exactly bleeding edge. i very much think only code that i approve of should run on my machine. it's the principle. @jmhorner that wont stop anything. I've used the KVM features of it with linux. You might not be able to get to the web interface on the local machine but it's still running. @i_lost_my_bagel @jmhorner do you know how to get the kvm working :( the documentation makes me feel dumb and meshcommander doesn't say anything about kvm @jernej__s @i_lost_my_bagel Thanks eh... that's much more polite than what I was thinking. :-)  @i_lost_my_bagel also thanks for the captions i wasn't sure what was happening without them  ... wondering what kind of neat things I could do with this if I were more of a programmer... I've always wanted to build a dual password BIOS, one leading into a honeypot OS (too many spy movies as a youth) @i_lost_my_bagel Oh yeah, AMT! This has a terrible exploit where you can logon with no password. I exploited it on my friend's server once.  @i_lost_my_bagel And it's really weird how this is implemented – you won't see any process listening on port 16992 in your OS, because the packets are being intercepted by ME before that.  @i_lost_my_bagel@mastodon.lilysthings.org doesnt work on my laptop even though it supports vpro   Btw the default password for the config of the management engine is iirc "admin", but you are forced to change it upon first use. On my Thinkpad you hit Enter at the Lenovo boot screen, then control P to enter the M E setup screen (this is listed). I see lots of things to change there but before I do it I would like to consult some documentation...    @i_lost_my_bagel does this require Windows? My localhost thankfully doesn't react to requests on that port but I'm also running Linux @alinanorakari if AMT is enabled it requires you to have the windows drivers ONLY TO SEE THE WEB INTERFACE ON THE LOCALHOST. If it's enabled you can still go to the web interface from any other machine by going to the IP. @i_lost_my_bagel I was unable to reach the port from a second machine, even nmap reports the port as filtered, despite a communications controller with HECI showing up in lspci. I guess I'm somehow safe? @alinanorakari yeah it's probably disabled. AMT isn't enabled by default but there's a chance it's enabled is for people since if you have a machine with a vPro enabled CPU that means you probably have some business machine and you probably bought it used. @i_lost_my_bagel it's a used ThinkPad and I checked in the BIOS and "Intel (R) AMT Control" was enabled. Curious why it's not reachable. I disabled it in the BIOS for good measure. @i_lost_my_bagel aaaaaand after disabling it and saving and exiting the BIOS my screen now shows "Unconfiguration in progress ..." lmao nice  @i_lost_my_bagel You could note that this is totally opt-in in OEM BIOS configurations. Plus it requires support in the chipset + BIOS. The Dell machines I used it on needed to have it flipped in the boot screen first. You can get them preconfigured too, though. It's a PERFECT solution for a home server. It's a free BMC! 😍 One just needs to know about this and configure it properly. I don't think there's any consumer grade CPUs or consumer grade motherboard that have vPro. @i_lost_my_bagel @alfredohno Fun fact, this is why some of my workstations have additional cheap PCIe NICs in them.
AMT is disabled but it keeps listening to the ports on the built-in NIC forever (intercepts them so the OS never sees traffic), so I assume it is still compromised and I simply cannot use the built-in NIC in those workstations. @i_lost_my_bagel This may be a fun time to also bring up Microsoft #Pluton, which may or may not be a part of this same shady infrastructure; the latest and greatest processors have it in addition to the IME/PSP. (It has a valid overt use case in securing a user's preferred cryptographic keys, but it can just as easily be used to eg. lock stuff out of the user's control.) |
@i_lost_my_bagel@mastodon.lilysthings.org what the fuck
is this a joke