Dell Backdoor
Dell iDRAC
Once on the BMC you can use simple ol' ifconfig and change or create interfaces with any network or address you want - other than, it seems, the server's own IP address. It's no problem at all listening to multiple networks or addresses. Or using the built in command line picture and movie taking tool to take snapshots or movies:
[WPCM450 /bin]$ avct_control capture --file /tmp/snap-from-bmc.png Capturing screen to file '/tmp/snap-from-bmc.png'... Captured.
I've no idea of how many servers it impacts - I found it out on my Dell R710 running iDRAC express 6, firmware version 1.7. What makes it particularly nasty is how you can remotely determine if a host has this in place - the other web pages I've looked on the Dell redirect you to the login page, this one shows you the bad news (although you do have to be logged in to actually make changes.)
I waited a couple of months until Dell had a fix before releasing details - I've been told by Dell all the most recent firmwares don't have this issue anymore... and my version, 1.7, isn't even available anymore (they supply from 1.57 to 1.8, so it probably affected the versions in between those.)
A secret back door web page
While not a pen tester, I am curious. I downloaded and was checking out the firmware on my Dell, when I saw an odd looking file - testurls.html. Turned out to be an unbranded (plain ol' text) live page on my live BMC server, and it starts out like this (the URL is the IP address + testurls.html; e.g. "https://10.6.6.6/testurls.html"; trying it over http redirects me to https):All you need to do is to put root in the form, and from now on you can login as root on the BMC via SSH/telnet/whatever.This page contains links that can be used to request XML document directly from the server (instead of going through the web pages). AIM session: user= , group= , validated=
Reboot: Click to reboot the iDRAC. [...]
Note that this page (the testurls.html) is reachable even if you aren't logged into the BMC, which makes finding a server that's vulnerable to this simple.
Interesting details in there, like how to change or query for
IPMI/BMC configuration stuff via URLs. It looked something like what
a development/QA/something backdoor into Dell's iDRAC; Dell said that
they didn't know how it got there. I searched on google for the page -
searches such as dell idrac "testurls.html"
and got zero hits,
so this obviously was't common knowledge.
Specific system (WPCM450 is the default root prompt):
A certificate was embedded in the page as well:[WPCM450 /tmp]$ cat /etc/fw_ver 1.70.21 iDRAC6 Sat Mar 12 21:05:29 UTC 2011 110312210529
Interesting stuff. Going into the BMC as root was even more so.[WPCM450 /tmp]$ openssl x509 -noout -in cert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 4b:fc:9c:c6:00:00:00:00:00:26 Signature Algorithm: sha1WithRSAEncryption Issuer: DC=com, DC=Woodlands, CN=WoodlandsCA Validity Not Before: May 6 13:51:47 2008 GMT Not After : May 6 13:51:47 2009 GMT Subject: DC=com, DC=Woodlands, CN=Users, CN=Administrator Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e8:1e:08:69:af:7e:72:6c:55:f7:1f:f0:15:c0: a5:e3:0f:8d:1f:6c:04:f3:8b:4f:f9:83:28:0b:b3: f4:0f:4d:d0:99:1c:10:b6:4c:5a:bf:45:37:47:e8: 46:e4:0a:1c:25:93:a4:a7:00:c9:e0:f4:e1:a2:29: 46:74:d0:f4:6d:93:00:bc:96:17:92:43:a2:d2:db: c5:f8:97:a2:27:fb:91:c1:a9:03:d4:9a:cc:16:f1: d9:47:7f:25:bf:7c:17:1e:e7:b5:8c:aa:ce:e8:93: d5:29:71:cd:b4:02:90:84:4e:09:1b:35:f4:69:b6: 63:08:6f:94:d3:25:f4:33:1f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, Microsoft Smartcardlogin 1.3.6.1.4.1.311.20.2: ...S.m.a.r.t.c.a.r.d.L.o.g.o.n X509v3 Subject Key Identifier: B9:32:11:E6:90:AA:62:1D:FD:D5:CA:A6:89:4D:6F:6F:7A:B3:34:47 X509v3 Authority Key Identifier: keyid:AE:96:A8:70:11:A5:B7:7F:80:74:D3:E6:5D:FF:CB:72:38:65:8E:93 X509v3 CRL Distribution Points: URI:ldap:///CN=WoodlandsCA,CN=sun-st104mas90,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Woodlands,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint URI:http://sun-st104mas90.woodlands.com/CertEnroll/WoodlandsCA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=WoodlandsCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Woodlands,DC=com?cACertificate?base?objectClass=certificationAuthority CA Issuers - URI:http://sun-st104mas90.woodlands.com/CertEnroll/sun-st104mas90.Woodlands.com_WoodlandsCA.crt X509v3 Subject Alternative Name: othername:Signature Algorithm: sha1WithRSAEncryption 71:c5:88:da:74:7a:a2:67:4e:51:a2:0f:f9:60:9d:49:76:1e: 66:f0:22:0d:86:36:72:f4:ab:1c:1a:fc:ab:23:98:ef:9d:e5: 53:42:d6:9b:1d:a1:6e:57:ab:5d:35:cb:79:6c:51:7d:9a:ce: 71:89:1b:c0:a2:36:43:fd:3c:29:73:f8:43:9c:5d:f3:0d:e1: 41:5e:31:ff:d7:53:ac:1e:e5:d0:9c:71:ca:94:af:22:15:9b: e7:ea:67:8a:ba:a3:2b:b4:8c:0b:d4:0d:0a:6f:81:69:4b:12: 12:e6:7d:34:33:54:b0:0b:10:18:18:da:fc:15:a2:15:ff:29: 02:94:46:61:1a:4a:88:6e:57:26:98:79:2e:f5:51:21:c4:79: 47:83:a7:63:67:16:62:1a:b4:a4:e3:35:9f:85:00:23:fe:1d: be:c6:20:17:b2:ac:9a:42:64:42:05:b1:de:f7:54:bb:68:73: 52:4c:54:b1:ee:de:91:5f:b5:45:34:b4:d7:3d:1f:c8:44:cc: 99:c2:63:2e:8f:4b:aa:78:0d:54:67:05:b9:15:54:7f:b1:d7: 34:78:70:48:42:a5:39:ac:6c:b5:26:ff:80:93:0e:bd:ee:25: 33:87:96:53:0a:3e:0d:1b:0e:02:e7:4a:5f:8e:2a:db:8b:ed: 8a:39:d7:bb
