Dell Backdoor

Dell iDRAC

This is a nasty one. Here's a very simple way to change the shell of an IPMI user from SMASH/CLP (the arcane and not terribly useful command line interface) to give you a normal Linux shell on the BMC, which lands you into an invisible box on a server (more about IPMI.)

Once on the BMC you can use simple ol' ifconfig and change or create interfaces with any network or address you want - other than, it seems, the server's own IP address. It's no problem at all listening to multiple networks or addresses. Or using the built in command line picture and movie taking tool to take snapshots or movies:

[WPCM450 /bin]$ avct_control capture --file /tmp/snap-from-bmc.png Capturing screen to file '/tmp/snap-from-bmc.png'... Captured.

I've no idea of how many servers it impacts - I found it out on my Dell R710 running iDRAC express 6, firmware version 1.7. What makes it particularly nasty is how you can remotely determine if a host has this in place - the other web pages I've looked on the Dell redirect you to the login page, this one shows you the bad news (although you do have to be logged in to actually make changes.)

I waited a couple of months until Dell had a fix before releasing details - I've been told by Dell all the most recent firmwares don't have this issue anymore... and my version, 1.7, isn't even available anymore (they supply from 1.57 to 1.8, so it probably affected the versions in between those.)

A secret back door web page

While not a pen tester, I am curious. I downloaded and was checking out the firmware on my Dell, when I saw an odd looking file - testurls.html. Turned out to be an unbranded (plain ol' text) live page on my live BMC server, and it starts out like this (the URL is the IP address + testurls.html; e.g. "https://10.6.6.6/testurls.html"; trying it over http redirects me to https):
This page contains links that can be used to request XML document directly from the server (instead of going through the web pages). AIM session: user= , group= , validated=
The following field and the link below under \"CLP Override\" provide a way to set the AIM variable used by ssh to determine if it should run CLP or show the Linux console. Enter a valid iDRAC system user to disable CLP and access the Linux Console via ssh or enter \"racuser\" to enable CLP. Click here to get the current value of the variable:
SSH User:

Reboot: Click to reboot the iDRAC. [...]
All you need to do is to put root in the form, and from now on you can login as root on the BMC via SSH/telnet/whatever.

Note that this page (the testurls.html) is reachable even if you aren't logged into the BMC, which makes finding a server that's vulnerable to this simple.

Interesting details in there, like how to change or query for IPMI/BMC configuration stuff via URLs. It looked something like what a development/QA/something backdoor into Dell's iDRAC; Dell said that they didn't know how it got there. I searched on google for the page - searches such as dell idrac "testurls.html" and got zero hits, so this obviously was't common knowledge.

Specific system (WPCM450 is the default root prompt):

[WPCM450 /tmp]$ cat /etc/fw_ver 1.70.21 iDRAC6 Sat Mar 12 21:05:29 UTC 2011 110312210529
A certificate was embedded in the page as well:
[WPCM450 /tmp]$ openssl x509 -noout -in cert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 4b:fc:9c:c6:00:00:00:00:00:26 Signature Algorithm: sha1WithRSAEncryption Issuer: DC=com, DC=Woodlands, CN=WoodlandsCA Validity Not Before: May 6 13:51:47 2008 GMT Not After : May 6 13:51:47 2009 GMT Subject: DC=com, DC=Woodlands, CN=Users, CN=Administrator Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e8:1e:08:69:af:7e:72:6c:55:f7:1f:f0:15:c0: a5:e3:0f:8d:1f:6c:04:f3:8b:4f:f9:83:28:0b:b3: f4:0f:4d:d0:99:1c:10:b6:4c:5a:bf:45:37:47:e8: 46:e4:0a:1c:25:93:a4:a7:00:c9:e0:f4:e1:a2:29: 46:74:d0:f4:6d:93:00:bc:96:17:92:43:a2:d2:db: c5:f8:97:a2:27:fb:91:c1:a9:03:d4:9a:cc:16:f1: d9:47:7f:25:bf:7c:17:1e:e7:b5:8c:aa:ce:e8:93: d5:29:71:cd:b4:02:90:84:4e:09:1b:35:f4:69:b6: 63:08:6f:94:d3:25:f4:33:1f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, Microsoft Smartcardlogin 1.3.6.1.4.1.311.20.2: ...S.m.a.r.t.c.a.r.d.L.o.g.o.n X509v3 Subject Key Identifier: B9:32:11:E6:90:AA:62:1D:FD:D5:CA:A6:89:4D:6F:6F:7A:B3:34:47 X509v3 Authority Key Identifier: keyid:AE:96:A8:70:11:A5:B7:7F:80:74:D3:E6:5D:FF:CB:72:38:65:8E:93 X509v3 CRL Distribution Points: URI:ldap:///CN=WoodlandsCA,CN=sun-st104mas90,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Woodlands,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint URI:http://sun-st104mas90.woodlands.com/CertEnroll/WoodlandsCA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=WoodlandsCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Woodlands,DC=com?cACertificate?base?objectClass=certificationAuthority CA Issuers - URI:http://sun-st104mas90.woodlands.com/CertEnroll/sun-st104mas90.Woodlands.com_WoodlandsCA.crt X509v3 Subject Alternative Name: othername: Signature Algorithm: sha1WithRSAEncryption 71:c5:88:da:74:7a:a2:67:4e:51:a2:0f:f9:60:9d:49:76:1e: 66:f0:22:0d:86:36:72:f4:ab:1c:1a:fc:ab:23:98:ef:9d:e5: 53:42:d6:9b:1d:a1:6e:57:ab:5d:35:cb:79:6c:51:7d:9a:ce: 71:89:1b:c0:a2:36:43:fd:3c:29:73:f8:43:9c:5d:f3:0d:e1: 41:5e:31:ff:d7:53:ac:1e:e5:d0:9c:71:ca:94:af:22:15:9b: e7:ea:67:8a:ba:a3:2b:b4:8c:0b:d4:0d:0a:6f:81:69:4b:12: 12:e6:7d:34:33:54:b0:0b:10:18:18:da:fc:15:a2:15:ff:29: 02:94:46:61:1a:4a:88:6e:57:26:98:79:2e:f5:51:21:c4:79: 47:83:a7:63:67:16:62:1a:b4:a4:e3:35:9f:85:00:23:fe:1d: be:c6:20:17:b2:ac:9a:42:64:42:05:b1:de:f7:54:bb:68:73: 52:4c:54:b1:ee:de:91:5f:b5:45:34:b4:d7:3d:1f:c8:44:cc: 99:c2:63:2e:8f:4b:aa:78:0d:54:67:05:b9:15:54:7f:b1:d7: 34:78:70:48:42:a5:39:ac:6c:b5:26:ff:80:93:0e:bd:ee:25: 33:87:96:53:0a:3e:0d:1b:0e:02:e7:4a:5f:8e:2a:db:8b:ed: 8a:39:d7:bb
Interesting stuff. Going into the BMC as root was even more so.