intel-amt-exploit.html

<!DOCTYPE html>
<html>
<head>
    <title>Darren Rainey</title>
    <link href='https://fonts.googleapis.com/css?family=Share+Tech+Mono' rel='stylesheet' type='text/css'>
    <link rel="stylesheet" type="text/css" href="css/style.css" media="screen">
<meta name="Description" content="Since Xbox Live was release in 2001 it has grown to have more than 48 million active however there are people that want to play with their friends but don't want to pay for xbox live or they want to understand how the xbox live system functions. But one of the main reason that people like me are starting to reverse engineering the xbox live protocol is because Microsoft will and have shut down support and access to older consoles. In 2010 Microsoft annouced that they would be shutting down the xbox live servers for the original xbox. 
So in this fourm people are discussing and working together to deconstruct the xbox protocols and create a free and open source alternative and if we can get a working version on the orginal xbox then we could gain allot of knowledge about how the system works and potentially adapt it in the future to allow other systems such as the xbox 360 or xbox one to communicate with the older systems or even play some backward compatiable games such as Halo 1/2.">
</head>

<body>
    
    <div id="page">
        <div id="content">

        <!--HEADER SECTION -->
        <div id="header"><pre>
<a class="darren rainey" href="http://darrenraineys.co.uk">
8888888b.                                                 8888888b.           d8b                            
888  "Y88b                                                888   Y88b          Y8P                            
888    888                                                888    888                                         
888    888  8888b.  888d888 888d888 .d88b.  88888b.       888   d88P  8888b.  888 88888b.   .d88b.  888  888 
888    888     "88b 888P"   888P"  d8P  Y8b 888 "88b      8888888P"      "88b 888 888 "88b d8P  Y8b 888  888 
888    888 .d888888 888     888    88888888 888  888      888 T88b   .d888888 888 888  888 88888888 888  888 
888  .d88P 888  888 888     888    Y8b.     888  888      888  T88b  888  888 888 888  888 Y8b.     Y88b 888 
8888888P"  "Y888888 888     888     "Y8888  888  888      888   T88b "Y888888 888 888  888  "Y8888   "Y88888 
                                                                                                         888 
                                                                                                    Y8b d88P 
                                                                                                     "Y88P"  </a> 

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</pre>
            </div>

            <!--THE LIST -->
            
            <div id="list">
            
            <ul>
		<center><b><u>Intel AMT Exploit Explained - CVE-2017-5689					[27/09/2017]</u></b></center>
<p>Earlier this year a bug in the Intel Active Management Technology or Intel AMT for short this exploit was disclosed to Intel and a patch/update was avaliable however many people may not update there firmware to fix this as this is an out of band exploit which means that the exploit is on the hardware outside of the operating systems control and "vision".
<p>
So this is what the code roughtly looks like (Code was reverse-engenierd but is accurate enought for explation) 
<br><br>
if(strncmp(computed_response, user_response, response_length))
<br>&nbsp;&nbsp;&nbsp;&nbsp;deny_access();
<p>
If you are familar with the C lanuage you can see that this function checks the the user_response variable against the length of the response_length so if you sent "hello" it would check that "hello" is 5 character's long>
However the attack works by sending no password or hash to compare so rather than this function checking that the user input is vaild it checks 0 bytes because no input was sent. There are various ways that this could have been prevented in the code such as checking that there were more than 0 bytes of data to check against.
<p>
So in summary the Intel AMT firmware doesn't check the user input makes sense and if you send no data it will log you in rather than giving you an access denied message.
	
<br>
 </ul>
            </div>
            
            <!--FOOTER SECTION -->

            <div id="footer">
                <pre>------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</pre>
                <div class="filter">
                <a href="http://darrenraineys.co.uk">HOME</a>
                
                <span class="footdogs">  &#215; </span>
                <a target="_blank" href="https://youtube.com/DarrenRainey">YOUTUBE</a>

                <span class="footdogs">  &#215; </span>
                <a target="_blank" href="https://github.com/DarrenRainey">GITHUB</a>


		<span class="footdogs">  &#215; </span>
                <a target="_blank" href="http://darrenraineys.co.uk/sitemap.php">SITEMAP</a>

                </div>

        </div>

</body>
</html>