Email or username:

Password:

Forgot your password?
number 1 windows xp hater's posts Post Back to profile
Top-level
Samuel Chase

@Sqaaakoi @i_lost_my_bagel ah right, sorry I must have misinterpreted what you were asking and assumed that you were not aware of IME. My apologies.

Now, even I am wondering the same thing... 🤔

7 April at 11:33 | Wall-to-wall | Open on fantastic.earth
6 comments
Jernej Simončič �

@samebchase @Sqaaakoi @i_lost_my_bagel ME is inspecting your traffic before it's handed to the OS, and if it sees TCP ports that it uses, it processes that. You can give ME a different IP address from what the OS uses, but by default it just shares the IP.

7 April at 18:16 | Open on infosec.exchange
Ross Williams

@jernej__s @samebchase @Sqaaakoi @i_lost_my_bagel But localhost traffic never hits the bus; it’s entirely in memory via the loopback device. Is the idea here that IME is hijacking the loopback driver functions somehow? Or is that port actually exposed on localhost by some Windows vPro driver?

8 April at 1:41 | Open on recurse.social
number 1 windows xp hater

@overhacked @jernej__s @samebchase @Sqaaakoi there's a windows driver that exposes it on localhost. Without a driver you can't access it on the local machine. Booted up macOS on the laptop since I know it has absolutely no AMT drivers and I couldn't access it.

I can still access it from other computers though so it's still running.
8 April at 2:14 | Open on mastodon.lilysthings.org
number 1 windows xp hater

@overhacked @jernej__s @samebchase @Sqaaakoi surprisingly macOS CAN see the virtual serial connection which I definitely wasn't expecting
8 April at 2:19 | Open on mastodon.lilysthings.org
Polychrome :clockworkheart:
@samebchase @Sqaaakoi @i_lost_my_bagel I've asked a network engineer friend to make sure, and this is how it works:

While active, port 16992 cannot be used by the OS because the IME intercepts all communications to it.

If the OS can access the IME over localhost:16992 then it's because the OS has a passthrough driver.

Generally the right way to do things is to allocate a separate address for the IME rather than use the same address as the OS. This frees the port on the OS and ensues there won't be any conflict with anything that tries to grab it. Apparently the IME can have its own MAC address via internal bridging on the NIC.

If for whatever reason you can't disable the IME and/or its webserver you can take it off the network by using your own PCI network card instead of the built-in one. The IME should not be able to access the network card that isn't part of the chipset, effectively isolating it.

Some corporate networks use that approach for extra security: Connect the IME to an internal management-only network via the built-in ethernet chipset, and a PCI card for actual work network access.
@samebchase @Sqaaakoi @i_lost_my_bagel I've asked a network engineer friend to make sure, and this is how it works:

While active, port 16992 cannot be used by the OS because the IME intercepts all communications to it.
7 April at 20:46 | Open on poly.cybre.city
Go Up