For those who own Intel CPU and value privacy

Pfft, I just removed the LMS because it seems you need all the components configured/active (MEI, LMS, etc) in order for this to be exploitable. Right? My MEI wasn't configured, thank god, so my risk was lower.

Re: post 19 in quote about hash, that looks sloppy and half-a****d, doesn't it? Did someone(s) at Intel want the vulnerability in there?

Edit: I also disabled several Intel services like Capability Licensing and Dynamic Application Loader Host Interface (geez, long one there) in Services. They've remained disabled for past one week, no sneaky re-enabling as of yet. Less is still too much, right?

 

I sure have been looking at this issue. My HP business computer was given to me with no HDD so isn't exactly standard. I assume it's about 2008 era... so its a system I put together - installed XP - went to HPs site and guessing what drivers etc were needed to be installed. Some of these may have been "extras". The tool intel provides of course doesn't support XP so doing my own searching. Looking in the system I see I installed Intel MEI. In the BIOS I have MEBx. Cant find anything on AMT or LMS.

Exactly. It would be nice if at least accurate details from the authentic sources were stated....and that time difference could mean the difference between my computer affected or not and intels way of telling you how to figure it out is appalling. For example as stated within their 4 options if you don't have the vPro on your badge your system can still be vPro capable. And MEBx...

This is no light matter, in fact I can't think of anything worse. Something that can bypass your OS, phone home with EVERYTHING on your computer is about as creepy as it gets! .

 

Merciful mother of God .... This Intel AMT password bypass really works!
Made a little test program this evening.
Here are results:





Sooooo tempted to turn computer off ....


So let's hope that the sysadmin of this computer called 'Unicenter' patches ASP
And also the 6,641 other fellows too ...
https://www.shodan.io/search?query=http intel active management

 

Did you see anything that's obviously not a server?

 

This morning, soon after I started Windows, I got a notification from IObit's Driver Booster telling me about the Intel vulnerability, with a View Details button whch took me a page on IObit's forums providing more information. When I rebooted my computer, I got another alert about it with a different message and link.


hxxp://forums.iobit.com/forum/driver-booster/driver-booster-v4/220200-vulnerability-hits-intel-enterprise-pcs-going-back-10-years
hxxp://forums.iobit.com/forum/driver-booster/driver-booster-v4/220231-intel-works-with-computer-manufacturers-to-fix-firmware-vulnerabilities

 

Patch to disable Intel AMT:
http://www.majorgeeks.com/files/details/disable_intel_amt.html
https://github.com/bartblaze/Disable-Intel-AMT

Ska

 

No, and who cares about consumer PC's anyway when you have gems like these wide open:

The Center of Dedicated Servers LLC (Russia)
Comcast Cable (USA)
TalkTalk (UK)

Example, here is Comcast box that I could power on anytime I wanted (yeah, it's true, when you turn computer off it's not really "off")

 

Here you could change the DNS server the box is using (here Google's DNS) to point to malicious DNS server owned by you.

 

So all the nice info (disk,system info,network etc..) about the server box (which in itself is a valuable info for any bad boy) can be seen. We can turn on/off box anytime. Mess with network settings to hijack DNS.

And finally, here's the final kick to the nuts for Intel AMT: Remote VNC

Those articles describe that machines with Intel AMT enabled and public to Internet can be remotely controlled. So while it can't be done directly from Intel AMT Web Ui it can be done indirectly.

Here's how:

1.
With this hack, log in as admin and create a new user with full admin rights (or if you are particularly mean, just change the admin password to whatever you want):



2.
Download RealVNC Plus viewer
https://www.realvnc.com/products/viewerplus/

3.
Connet to box IP address and select Connection Mode as "Intel AMT KVM" and Encryption None (haven't tried with TLS enabled, might work with that too)



4.
Select yes when it ask if the domain name belongs to this IP


5.
When login prompt pops up, give the previously created login credentials and wait....

6.
Your in. (mind you, this all is totally transparent to OS and it doesn't even have to have VNC server installed because it's all in the silicon).

 

Spoiler: Intel-SA-00075 Discovery Tool

 

Yes, that is pitiful

I wonder how that server is used. It could well provide access for a wider compromise

But it'd arguably be far worse if millions of clueless users were vulnerable.

<SNIP>

 

Yeah and I am really, really, *really* trying to resist opening remote VNC to comcast right
now and rummaging throught their box and network ....

Ah, hell ... I might check it anyway if bored this weekend...

 

At first I was a bit skeptical about the risk involved with Intel's Management Engine, but now I do think something should be done to fix it. Here is a another article:

https://www.eff.org/deeplinks/2017/...security-hazard-and-users-need-way-disable-it

 

Thanks for the link. I think this sums it up:

"The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility."

 

This is really crazy...
Box turned off but want to still use remote VNC ?
No problem at all!



Let's turn the box on


Better yet, let's visit the BIOS settings while at it



Tadaa....



God... so much unlimited potential to keep the box compromised ....

 

Did you find any contact information? Maybe whois on the IP? It'd be cool to let these fools know.

 

There is an Intel Management Engine firmware update available for Lenovo ThinkCentre and other desktops and servers, dated 10/5/2017.

 

Anyone concerned about vpro should be equally concerned about UEFI (the modern successor to the old BIOS). One of EUFI's "features" is support for pre-boot networking.
The purpose of this feature is documented to be, to allow remote support in the event of a boot failure haha. Of course pre boot just happens to be the time when everyones system is in its most vulnerable state. Think evil maid. Even many encrypted systems are vulnerable because they require an unencrypted header which can be modified to do such things as capture the password, dump the masterkey etc. Truecrypt may be a little more protected because rather than a header it loads a device driver but I feel quite sure that could be modified or replaced too