Email or username:

Password:

Forgot your password?
number 1 windows xp hater

fun fact: if you have a laptop or desktop that has an intel cpu with "vPro" on the sticker there's a chance the management engine in your CPU is just hosting a web server at all times.

It's at port 16992

Browser open to localhost at port 16992. The page says "Intel Active Management Technology. Page Not Found. Web browser access to Intel Active Management Technology is disabled on this computer, or the page in the address bar is unavailable."
76 comments
13 barn owls in a trench coat

@i_lost_my_bagel integrated remote KVM functionality from boot seems like an amazing idea until mjg59.dreamwidth.org/48429.htm

(It's still a pretty cool idea for embedded or remote units tbh)

number 1 windows xp hater

@HauntedOwlbear yeah... I will say though. I used this laptop as a server for a bit and it was so so useful.

13 barn owls in a trench coat

@i_lost_my_bagel haha, I just edited to add a similar sentiment. Full remote access, just built in, with no extra hardware or licence is p great.)

LisPi
@HauntedOwlbear @i_lost_my_bagel It's perfectly fine if all of it works on Free Software and that you can reasonably update it to keep up with security.

Like a PiKVM. Intel's garbage failed on all accounts.
Sqaaakoi :flagEnby:​

@i_lost_my_bagel how the hell does that work in the OS? localhost should be handled by the OS, right? so how would that work

Samuel Chase

@Sqaaakoi @i_lost_my_bagel Management Engine is essentially an entire OS (Minix) running /on/ the CPU.

So pretty much every computer out there is running two OSes at all times.

Sqaaakoi :flagEnby:​

@samebchase @i_lost_my_bagel Not what I asked. (I already knew what it was.) I am wondering how it manages to expose ports on the main system OS' localhost.

Samuel Chase

@Sqaaakoi @i_lost_my_bagel ah right, sorry I must have misinterpreted what you were asking and assumed that you were not aware of IME. My apologies.

Now, even I am wondering the same thing... 🤔

Jernej Simončič �

@samebchase @Sqaaakoi @i_lost_my_bagel ME is inspecting your traffic before it's handed to the OS, and if it sees TCP ports that it uses, it processes that. You can give ME a different IP address from what the OS uses, but by default it just shares the IP.

Ross Williams

@jernej__s @samebchase @Sqaaakoi @i_lost_my_bagel But localhost traffic never hits the bus; it’s entirely in memory via the loopback device. Is the idea here that IME is hijacking the loopback driver functions somehow? Or is that port actually exposed on localhost by some Windows vPro driver?

number 1 windows xp hater

@overhacked @jernej__s @samebchase @Sqaaakoi there's a windows driver that exposes it on localhost. Without a driver you can't access it on the local machine. Booted up macOS on the laptop since I know it has absolutely no AMT drivers and I couldn't access it.

I can still access it from other computers though so it's still running.

number 1 windows xp hater

@overhacked @jernej__s @samebchase @Sqaaakoi surprisingly macOS CAN see the virtual serial connection which I definitely wasn't expecting

macOS network connections. The three items in the list are Ethernet, wifi, and PCI serial adapter.
Polychrome :clockworkheart:
@samebchase @Sqaaakoi @i_lost_my_bagel I've asked a network engineer friend to make sure, and this is how it works:

While active, port 16992 cannot be used by the OS because the IME intercepts all communications to it.

If the OS can access the IME over localhost:16992 then it's because the OS has a passthrough driver.

Generally the right way to do things is to allocate a separate address for the IME rather than use the same address as the OS. This frees the port on the OS and ensues there won't be any conflict with anything that tries to grab it. Apparently the IME can have its own MAC address via internal bridging on the NIC.

If for whatever reason you can't disable the IME and/or its webserver you can take it off the network by using your own PCI network card instead of the built-in one. The IME should not be able to access the network card that isn't part of the chipset, effectively isolating it.

Some corporate networks use that approach for extra security: Connect the IME to an internal management-only network via the built-in ethernet chipset, and a PCI card for actual work network access.
@samebchase @Sqaaakoi @i_lost_my_bagel I've asked a network engineer friend to make sure, and this is how it works:

While active, port 16992 cannot be used by the OS because the IME intercepts all communications to it.
Latte macchiato :blobcoffee: :ablobcat_longlong:

@Sqaaakoi@wetdry.world @samebchase@fantastic.earth @i_lost_my_bagel@mastodon.lilysthings.org It doesn't. It uses the NIC directly (vPro devices have Intel NICs), none of this traffic will ever reach the main OS. It's entirely handled by the coprocessor.

Latte macchiato :blobcoffee: :ablobcat_longlong:

@novenary@akko.wtf @Sqaaakoi@wetdry.world @i_lost_my_bagel@mastodon.lilysthings.org @samebchase@fantastic.earth I may be stupid. ​:spinny_fox:​

vPro is going to run anyway. Some features of it are part of the ME, some are at user level.

If you hit on the OS loopback, there's probably something also running on your OS. Maybe a management daemon that comes installed? You'd be correct in that it _doesn't_ use the NIC there.

The out of band stuff most people will be using vPro for though is part of the ME.

Latte macchiato :blobcoffee: :ablobcat_longlong:

@novenary@akko.wtf @Sqaaakoi@wetdry.world @i_lost_my_bagel@mastodon.lilysthings.org @samebchase@fantastic.earth
The management engine of all modern Intel CPUs has:
- full direct memory access
- full TCP stack access
- receive and send network packets bypassing the OS
- cannot be disabled past Core2 CPUs
It's a dedicated chip running MINIX, has a dedicated connection to the NIC and is part of the chipset.

The scary parts, the Active Management Engine, claims these ports:
- 16992 (SOAP/HTTP)
- 16993 (SOAP/HTTPS)
- 16994 (Redirection/TCP)
- 16995 (Redirection/TLS)
KVM runs over the last two.

https://www.intel.com/content/www/us/en/privacy/intel-active-technology-vpro.html

AMT is disabled by default.

@novenary@akko.wtf @Sqaaakoi@wetdry.world @i_lost_my_bagel@mastodon.lilysthings.org @samebchase@fantastic.earth
The management engine of all modern Intel CPUs has:
- full direct memory access
- full TCP stack access
- receive and send network packets bypassing the OS
- cannot be disabled past Core2 CPUs
It's a dedicated chip running MINIX, has a dedicated connection to the NIC and is part of the chipset.

The scary parts, the Active Management Engine, claims these ports:
- 16992 (SOAP/HTTP)
- 16993 (SOAP/HTTPS)

Speaktrap

@i_lost_my_bagel At least it greatly increases Minix userbase (Intel ME still is based on Minix, no?)

acb

@i_lost_my_bagel Modern Intel CPUs are so huge that they could fit an entire 486 SoC running Minix on there and it’s effectively a rounding error.

Makes you wonder if there’s anything else there we don’t know about.

Mateus R. Costa (he/him)

@i_lost_my_bagel I am aware that the Intel Wifi cards can be sold in vPro and non-vPro variants, I wonder if this makes any difference?

JM Horner :blobcatcowboy:

@i_lost_my_bagel So, would this apply to devices not running Windows, or devices which do not have the Intel Management Engine software installed?

lunchy

@i_lost_my_bagel how is this working? I would expect your OS's network stack would short circuit the connection to 127.0.0.1 before it hit anything that AMT could easily see

:bun: Stellar 🇫🇷

@i_lost_my_bagel@mastodon.lilysthings.org its when i discovered the CUPS linux pritner thing had a http server

JM Horner :blobcatcowboy:

@i_lost_my_bagel The idea of this REALLY bothered me, so I had to find out for myself. I am lucky [or perhaps UNlucky] enough to have an HP Elitebook 2760p here with Windows 10 on it. I had intentionally never installed the Intel Management Engine software on it, and in Device Manager I had an unknown device (I think it actually said PCI device). I tried Edge [it was creepy but I did it] and localhost:16992 produced a "can't reach this page" error message.

I then installed the IME software [HP driver sp55757 in this case] and was able to access the IME page on localhost:16992 with Edge. The "device" was also updated in Device Manager giving me the following two devices:

Intel Active Management Technology - SOL

Intel Management Engine Interface

You can decide for yourself what SOL stands for in the first one. I then uninstalled the IME software from Control Panel and upon reboot the devices stayed, but the service listening on port 16992 was gone. So I reinstalled the IME software and confirmed that the service was listening on 16992 again. Then opened the IME application via the systray icon and deselected

"Intel Management and Security Status will be available next time I log on to Windows."

After a reboot the service was not listening again.

So, it appears as though on my decade old vPro™️ laptop the service is provided by the IME software, and that not installing it (or disabling it) will keep the service from running in Windows 10. I have not tested it yet, but I am pretty confident that when I put Devuan back on here the service won't be listening. :blobcatcheer:

@i_lost_my_bagel The idea of this REALLY bothered me, so I had to find out for myself. I am lucky [or perhaps UNlucky] enough to have an HP Elitebook 2760p here with Windows 10 on it. I had intentionally never installed the Intel Management Engine software on it, and in Device Manager I had an unknown device (I think it actually said PCI device). I tried Edge [it was creepy but I did it] and localhost:16992 produced a "can't reach this page" error message.

Photo of the vPro sticker (and Windows 7 sticker) on my crappy old laptop.
Riku Viitanen

@jmhorner @i_lost_my_bagel

It won't keep AMT from running. It is independent of any OS you control. ME and AMT are stored on the BIOS chip, in 2760p it's 8MiB (~5MB ME+AMT, ~3MB BIOS).

In my opinion, whether it's reachable at localhost is irrelevant. I'm more afraid of remote accesses. The ME coprocessor has unrestricted access to all memory and other hardware. NICs too, it can have its own MAC address as well).

Riku Viitanen

@jmhorner @i_lost_my_bagel

Luckily there's a solution:
me_cleaner: github.com/corna/me_cleaner

It'll remove all AMT code permanently, shrinking your ME firmware to under 100kB (just what's necessary to disable a watchdog timer).

Btw, there's also coreboot available for that elitebook, in case you want to get rid of the HP BIOS entirely :)

JM Horner :blobcatcowboy:

@riku @i_lost_my_bagel Okay... I get that localhost based services are of little use remotely. So, how would (1) anyone remotely access IME or (2) IME send any data to a remote location on its own?

number 1 windows xp hater

@jmhorner @riku the localhost part is just a small web interface that does nothing but tell you some system status. It can't do anything useful.

You can use github.com/Ylianst/MeshCommand to connect to it from another computer and access all the fun stuff.

Riku Viitanen

@jmhorner @i_lost_my_bagel By sending/receiving packets to an Intel network card on that machine. ME coprocessor has access to those, and can configure them how it wishes.

JM Horner :blobcatcowboy:

@riku @i_lost_my_bagel If I do not go in to my BIOS and setup an AMT admin password and networking, AMT does not seem to get an IP address. Additionally, when I stop the IME services in Windows (or uninstall the IME software) MeshCommander times out. If I unplug my NIC and only use WiFi, AMT is unable to pickup an IP address from my DHCP server (and is of course inaccessible via MeshCommander).

So, in order for someone "not on my network" to interact with AMT, is it fair to say that:

- I'd have to either specifically setup AMT in my BIOS or buy a device that has already been setup

- I'd have to have the IME software installed and the two IME services running in Windows

- I'd have to be connected via Ethernet rather than WiFi and

- I'd have to have the appropriate port forwarded on my IPv4 NAT-based gateway or have IPv6 setup on my home network

Or is there really some way for someone to remotely interact with AMT even if one or more of those points is not met? While I am disappointed that Intel would put that kind of crap "in a processor", I can't say I am surprised. So, should I see it as being any more of a security problem than something like DRAC or iLO?

@riku @i_lost_my_bagel If I do not go in to my BIOS and setup an AMT admin password and networking, AMT does not seem to get an IP address. Additionally, when I stop the IME services in Windows (or uninstall the IME software) MeshCommander times out. If I unplug my NIC and only use WiFi, AMT is unable to pickup an IP address from my DHCP server (and is of course inaccessible via MeshCommander).

Riku Viitanen

@jmhorner @i_lost_my_bagel

- probably, but i just don't personally trust it. the code is unauditable, and could be full of bugs.
- os services don't matter. remote management is supposed to work even if the os doesn't boot, e.g. to reboot/reinstall remotely
- there are some wi-fi cards with "vPro feature". maybe yours doesn't have it
- theoretically it could be possible to borrow the os's ip address, if i'm not mistaken.

i'm not confident i could fully secure it, so i always apply me_cleaner.

@jmhorner @i_lost_my_bagel

- probably, but i just don't personally trust it. the code is unauditable, and could be full of bugs.
- os services don't matter. remote management is supposed to work even if the os doesn't boot, e.g. to reboot/reinstall remotely
- there are some wi-fi cards with "vPro feature". maybe yours doesn't have it
- theoretically it could be possible to borrow the os's ip address, if i'm not mistaken.

JM Horner :blobcatcowboy:

@riku @i_lost_my_bagel I'll admit that when I first read the post I may have pooped a little and thought that it sounded like a terrible security flaw. I thought I might be dropping a dozen laptops off for recycling.

While screwing around I think I saw that only the newest version has the ability to use WiFi. I am guessing at the numbers here... but I think 2.4, 2.6, and 4.0 do NOT work via WiFi, while 6.0 does. If anybody reading this is banking on those version numbers please go check rather taking my word for it.

I think the part that irritates me most is how [as you just said] it is not possible to audit the code, and that it could be already setup when buying a used device. The damage *should* still be limited to the local LAN, but it *should* have a more obvious "off button".

@riku @i_lost_my_bagel I'll admit that when I first read the post I may have pooped a little and thought that it sounded like a terrible security flaw. I thought I might be dropping a dozen laptops off for recycling.

While screwing around I think I saw that only the newest version has the ability to use WiFi. I am guessing at the numbers here... but I think 2.4, 2.6, and 4.0 do NOT work via WiFi, while 6.0 does. If anybody reading this is banking on those version numbers please go check rather taking...

Riku Viitanen

@jmhorner @i_lost_my_bagel

yeah, this has been widely known and criticised ever since intel first introduced it. clearly not widely enough, if users still don't know about it.

those version numbers refer to specific chipset generations btw, since the ime is inside the pch. so 6.0 is ibex peak, not exactly bleeding edge.

i very much think only code that i approve of should run on my machine. it's the principle.

number 1 windows xp hater

@jmhorner that wont stop anything. I've used the KVM features of it with linux. You might not be able to get to the web interface on the local machine but it's still running.

PCLMULQDQ

@i_lost_my_bagel @jmhorner do you know how to get the kvm working :( the documentation makes me feel dumb and meshcommander doesn't say anything about kvm

JM Horner :blobcatcowboy:

@jernej__s @i_lost_my_bagel Thanks eh... that's much more polite than what I was thinking. :-)

Lily

@i_lost_my_bagel
damn that's crazy

also thanks for the captions i wasn't sure what was happening without them

Full Metal Archaeopteryx

@i_lost_my_bagel

... wondering what kind of neat things I could do with this if I were more of a programmer...

I've always wanted to build a dual password BIOS, one leading into a honeypot OS (too many spy movies as a youth)

DELETED

@i_lost_my_bagel Oh yeah, AMT! This has a terrible exploit where you can logon with no password.

I exploited it on my friend's server once.

A screenshot of the "Intel Standard Manageability" menu. The computer is specified as "fuckbox". The IP address, System ID, etc is displayed. On the left are buttons: Remote Control, Network Settings, User Accounts
Jernej Simončič �

@i_lost_my_bagel And it's really weird how this is implemented – you won't see any process listening on port 16992 in your OS, because the packets are being intercepted by ME before that.

Rhialto

@i_lost_my_bagel

Btw the default password for the config of the management engine is iirc "admin", but you are forced to change it upon first use.

On my Thinkpad you hit Enter at the Lenovo boot screen, then control P to enter the M E setup screen (this is listed).

I see lots of things to change there but before I do it I would like to consult some documentation...

LiquidParasyte

@i_lost_my_bagel ... Glad I don't have an Intel

But also w h y ?

Alina 0xFF

@i_lost_my_bagel does this require Windows? My localhost thankfully doesn't react to requests on that port but I'm also running Linux

number 1 windows xp hater

@alinanorakari if AMT is enabled it requires you to have the windows drivers ONLY TO SEE THE WEB INTERFACE ON THE LOCALHOST. If it's enabled you can still go to the web interface from any other machine by going to the IP.

Alina 0xFF

@i_lost_my_bagel I was unable to reach the port from a second machine, even nmap reports the port as filtered, despite a communications controller with HECI showing up in lspci. I guess I'm somehow safe?

number 1 windows xp hater

@alinanorakari yeah it's probably disabled. AMT isn't enabled by default but there's a chance it's enabled is for people since if you have a machine with a vPro enabled CPU that means you probably have some business machine and you probably bought it used.

Alina 0xFF

@i_lost_my_bagel it's a used ThinkPad and I checked in the BIOS and "Intel (R) AMT Control" was enabled. Curious why it's not reachable. I disabled it in the BIOS for good measure.

Alina 0xFF

@i_lost_my_bagel aaaaaand after disabling it and saving and exiting the BIOS my screen now shows "Unconfiguration in progress ..." lmao nice

Wyatt (🏳️‍⚧️♀?)

@i_lost_my_bagel Once again proudly not using anything under 10 years old

"Unable to connect" screen in firefox when I tried to navigate to the vPro console
Taureon

@i_lost_my_bagel software problem? throw a http server at it

Gert van Dijk

@i_lost_my_bagel You could note that this is totally opt-in in OEM BIOS configurations. Plus it requires support in the chipset + BIOS.

The Dell machines I used it on needed to have it flipped in the boot screen first. You can get them preconfigured too, though.

It's a PERFECT solution for a home server. It's a free BMC! 😍 One just needs to know about this and configure it properly. I don't think there's any consumer grade CPUs or consumer grade motherboard that have vPro.

LisPi
@i_lost_my_bagel @alfredohno Fun fact, this is why some of my workstations have additional cheap PCIe NICs in them.

AMT is disabled but it keeps listening to the ports on the built-in NIC forever (intercepts them so the OS never sees traffic), so I assume it is still compromised and I simply cannot use the built-in NIC in those workstations.
Kirinn B.

@i_lost_my_bagel This may be a fun time to also bring up Microsoft #Pluton, which may or may not be a part of this same shady infrastructure; the latest and greatest processors have it in addition to the IME/PSP.

(It has a valid overt use case in securing a user's preferred cryptographic keys, but it can just as easily be used to eg. lock stuff out of the user's control.)

Go Up