Email or username:

Password:

Forgot your password?
number 1 windows xp hater's posts Post Back to profile
Top-level
Sqaaakoi :flagEnby:​

@i_lost_my_bagel how the hell does that work in the OS? localhost should be handled by the OS, right? so how would that work

7 April at 6:08 | Wall-to-wall | Open on wetdry.world
15 comments
Samuel Chase

@Sqaaakoi @i_lost_my_bagel Management Engine is essentially an entire OS (Minix) running /on/ the CPU.

So pretty much every computer out there is running two OSes at all times.

7 April at 8:45 | Open on fantastic.earth
Sqaaakoi :flagEnby:​

@samebchase @i_lost_my_bagel Not what I asked. (I already knew what it was.) I am wondering how it manages to expose ports on the main system OS' localhost.

7 April at 10:02 | Open on wetdry.world
Samuel Chase

@Sqaaakoi @i_lost_my_bagel ah right, sorry I must have misinterpreted what you were asking and assumed that you were not aware of IME. My apologies.

Now, even I am wondering the same thing... 🤔

7 April at 11:33 | Open on fantastic.earth
Jernej Simončič �

@samebchase @Sqaaakoi @i_lost_my_bagel ME is inspecting your traffic before it's handed to the OS, and if it sees TCP ports that it uses, it processes that. You can give ME a different IP address from what the OS uses, but by default it just shares the IP.

7 April at 18:16 | Open on infosec.exchange
Ross Williams

@jernej__s @samebchase @Sqaaakoi @i_lost_my_bagel But localhost traffic never hits the bus; it’s entirely in memory via the loopback device. Is the idea here that IME is hijacking the loopback driver functions somehow? Or is that port actually exposed on localhost by some Windows vPro driver?

8 April at 1:41 | Open on recurse.social
number 1 windows xp hater

@overhacked @jernej__s @samebchase @Sqaaakoi there's a windows driver that exposes it on localhost. Without a driver you can't access it on the local machine. Booted up macOS on the laptop since I know it has absolutely no AMT drivers and I couldn't access it.

I can still access it from other computers though so it's still running.
8 April at 2:14 | Open on mastodon.lilysthings.org
number 1 windows xp hater

@overhacked @jernej__s @samebchase @Sqaaakoi surprisingly macOS CAN see the virtual serial connection which I definitely wasn't expecting
8 April at 2:19 | Open on mastodon.lilysthings.org
Polychrome :clockworkheart:
@samebchase @Sqaaakoi @i_lost_my_bagel I've asked a network engineer friend to make sure, and this is how it works:

While active, port 16992 cannot be used by the OS because the IME intercepts all communications to it.

If the OS can access the IME over localhost:16992 then it's because the OS has a passthrough driver.

Generally the right way to do things is to allocate a separate address for the IME rather than use the same address as the OS. This frees the port on the OS and ensues there won't be any conflict with anything that tries to grab it. Apparently the IME can have its own MAC address via internal bridging on the NIC.

If for whatever reason you can't disable the IME and/or its webserver you can take it off the network by using your own PCI network card instead of the built-in one. The IME should not be able to access the network card that isn't part of the chipset, effectively isolating it.

Some corporate networks use that approach for extra security: Connect the IME to an internal management-only network via the built-in ethernet chipset, and a PCI card for actual work network access.
@samebchase @Sqaaakoi @i_lost_my_bagel I've asked a network engineer friend to make sure, and this is how it works:

While active, port 16992 cannot be used by the OS because the IME intercepts all communications to it.
7 April at 20:46 | Open on poly.cybre.city
Latte macchiato :blobcoffee: :ablobcat_longlong:

@Sqaaakoi@wetdry.world @samebchase@fantastic.earth @i_lost_my_bagel@mastodon.lilysthings.org It doesn't. It uses the NIC directly (vPro devices have Intel NICs), none of this traffic will ever reach the main OS. It's entirely handled by the coprocessor.

7 April at 14:22 | Open on plasmatrap.com
Latte macchiato :blobcoffee: :ablobcat_longlong:
[GRLC] (⁠^⁠.⁠_⁠.⁠^⁠)⁠ノ :neocat_flag_sapphic:
@privateger @Sqaaakoi @i_lost_my_bagel @samebchase loopback is not supposed to hit any NICs though?
7 April at 14:28 | Open on akko.wtf
Latte macchiato :blobcoffee: :ablobcat_longlong:

@novenary@akko.wtf @Sqaaakoi@wetdry.world @i_lost_my_bagel@mastodon.lilysthings.org @samebchase@fantastic.earth I may be stupid. ​:spinny_fox:​

vPro is going to run anyway. Some features of it are part of the ME, some are at user level.

If you hit on the OS loopback, there's probably something also running on your OS. Maybe a management daemon that comes installed? You'd be correct in that it _doesn't_ use the NIC there.

The out of band stuff most people will be using vPro for though is part of the ME.

7 April at 14:32 | Open on plasmatrap.com
Latte macchiato :blobcoffee: :ablobcat_longlong:

@novenary@akko.wtf @Sqaaakoi@wetdry.world @i_lost_my_bagel@mastodon.lilysthings.org @samebchase@fantastic.earth
The management engine of all modern Intel CPUs has:
- full direct memory access
- full TCP stack access
- receive and send network packets bypassing the OS
- cannot be disabled past Core2 CPUs
It's a dedicated chip running MINIX, has a dedicated connection to the NIC and is part of the chipset.

The scary parts, the Active Management Engine, claims these ports:
- 16992 (SOAP/HTTP)
- 16993 (SOAP/HTTPS)
- 16994 (Redirection/TCP)
- 16995 (Redirection/TLS)
KVM runs over the last two.

https://www.intel.com/content/www/us/en/privacy/intel-active-technology-vpro.html

AMT is disabled by default.

@novenary@akko.wtf @Sqaaakoi@wetdry.world @i_lost_my_bagel@mastodon.lilysthings.org @samebchase@fantastic.earth
The management engine of all modern Intel CPUs has:
- full direct memory access
- full TCP stack access
- receive and send network packets bypassing the OS
- cannot be disabled past Core2 CPUs
It's a dedicated chip running MINIX, has a dedicated connection to the NIC and is part of the chipset.

The scary parts, the Active Management Engine, claims these ports:
- 16992 (SOAP/HTTP)
- 16993 (SOAP/HTTPS)

7 April at 14:40 | Open on plasmatrap.com
third="Beedell", first="Roke"
Go Up