Intel AMT – It’s a feature not a bug

Last weekend I read a twitter message stating that Intel was suffering from yet another security issue. This time with the Active Management Technology (AMT). Even more terrifying is the following that is being said by Harry Sintonen, one of F-Secure’s Senior Security Consultants, “The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place.”. Ouch! However, this issue is not new. It is just not known by a lot of people. An article from 2007 is included in the references below to show that this was an already known issue and that the default password should be changed.

This morning we wanted to know how bad the security issue is and of course how we can exploit this.

Working with different kind of laptops we finally managed to reproduce the issue. As it turns out that exploiting the issue it is not as simple as stated in the F-secure blog (see reference below). Not every system has the Intel Management Engine BIOS Extension (MEBx) enabled. In some cases, the functionality isn’t even available due to lack of licenses. This being said, some functionality can be enabled if you have access to the BIOS.

So, in short:

This is not a direct issue if the system does not have the AMT Setup Prompt (Ctrl-P). If the functionality is present, but disabled, a BIOS password could, in some cases, still reduce the risk of this issue.

But what is Active Management Technology?

From the intel website: “Intel® AMT uses integrated platform capabilities and popular third-party management and security applications, to allow IT or managed service providers to better discover, repair, and help protect their networked computing assets. Intel® AMT also saves time with remote maintenance and wireless manageability for your mobile workforce, and secure drive wiping to simplify PC lifecycle transitions.”

The reason Intel AMT could help managing Blue Screens of Death for example is because the Intel AMT is operating before the start of the Operating System. In very simple words a system starts as follows:

  • First the BIOS will be loaded;
  • Then the possibility could exist to enter MEBx;
  • Finally, the Operating System will be started.

This is important because the AMT operates outside the Operating System! For this reason, it will be possible to connect and monitor to systems without the Operating System being able to detect this on the networking level (Good luck blue team).

Reproducing the issue

To be able to reproduce the issue we grabbed an HP EliteBook where we have access to the BIOS. We also ran Nmap to verify if any ports were open which was not the case.

Next step is enabling Firmware Verbosity and the AMT Setup Prompt (Ctrl-P):

Active Managment Technology

After saving and booting the option Ctrl-P is shown as a boot option.  Hitting Ctrl-P will bring you the following screen:

And here comes the weakness…. Default password is “admin”. The user is requested to change the password to a safer password (minimum of 8 characters, a special character, a capital letter and a number).

The next menu gives you the option to Activate Network Access:

This immediately gives the following Nmap result:

nmap 192.168.66.6 -p 623,664,5900,16992,16993,16994,16995 –open
Nmap scan report for 192.168.66.6
Not shown: 5 closed ports
PORT      STATE SERVICE
623/tcp   open  oob-ws-http
16992/tcp open  amt-soap-http

As you can see port 16992 is stated as open. This is the web application, served over HTTP, where you can log on to the Intel AMT. This is shown below:

Since we know the credentials (admin:<<your newly created password>>) you will be able to login and manage the system.

A great tool that could help attackers (or administrators for that matters) is MeshCommander (see reference for the tool). With this tool, you can for example enable Remote Desktop. First you need to be able to make a connection:

Next you can see the menu item “Remote Desktop” from where you will be able to enable the functionality:

Enabling KVM and other features:

Another handy feature is to disable the requirement for User Consent:

Next and last step… Make a remote desktop connection:

This is really cool, but remember what is said earlier! This remote desktop session will not be seen by the Operating System  on the network level. The system will however log actions hardware based (the creation of new I/O devices).  The only detection method for network level is monitoring the network traffic on the wire (not on the Operating System).

The following two screenshots of the “Device Manager” in Windows shows that a new mice and keyboard is added when a Remote Desktop connection is made with MeshCommander.

Before connection:

Connected:

OMG…… So that is why you said good luck blue team?

Yes, but that is not all. Remember the web application where we can log on the Intel AMT? This web application is by default not encrypted. Using the intruder feature in Burp Suite a test is done to see if the login is brute-force protected. Guess..

Performing 150 login attemps with a wrong password shows the following:

Regardless of the error message “Log on failed. Incorrect user name or password, or user account temporarily locked.”, the account is never locked.

Conclusion

Intel created some nice out-of-band management features that little people knew about. They thought it was a good idea to set a default password of “admin” for the Intel Management Engine BIOS Extension (MEBx) login. Exploiting the weaknesses as described above could impact all parts of the classical CIA-triangle (Confidence, Integrity and Availability). Reading this article, you might think it is easy, however some requirements are in place.

  • Physical access is required to enable the feature;
  • The Intel AMT functionality should be available;
  • If it is not enabled you should have access to the BIOS;

Mitigations

If you don’t need the functionality, disable it. Replace the default password of MEBx and set a BIOS password to mitigate the risk that the feature could be enabled.

References

Intel® AMT: Strong ME Passwords are Required

A Security Issue in Intel’s Active Management Technology (AMT)

MeshCommander