WebUSBWebGPUWebPCIEWebNVMEWebSATAWebATX12V
-
@littlefox WebRing0
@volpeon WebSMM
-
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V@volpeon@icy.wyvern.rip WebExpressCard
-
WebSPI
WebBIOS
WebUEFI -
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system. -
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V@volpeon@icy.wyvern.rip WebDOCSIS
-
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system. -
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
-
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
-
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
@manawyrm @littlefox @volpeon It sounds bad but is it really? If you have BMC access you would be able to do all sorts of evil things already.
Unless there is an ACL system which pretends this is “safe”… -
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
@manawyrm this is beautiful o.o
-
@manawyrm @littlefox @volpeon It sounds bad but is it really? If you have BMC access you would be able to do all sorts of evil things already.
Unless there is an ACL system which pretends this is “safe”…@athenas @littlefox @volpeon Yes, there is access control with username/password or even LDAP, which might be used by badly informed users.
But yes, the correct response is to _ALWAYS_ firewall and heavily isolate BMCs, consider them hostile and dangerous at all times.
Their firmware is sooo shoddily written that they're basically remote code execution as a service.
-
@athenas @littlefox @volpeon Yes, there is access control with username/password or even LDAP, which might be used by badly informed users.
But yes, the correct response is to _ALWAYS_ firewall and heavily isolate BMCs, consider them hostile and dangerous at all times.
Their firmware is sooo shoddily written that they're basically remote code execution as a service.
@manawyrm @littlefox @volpeon I was thinking of fine-grained ACL, where somebody could get the idea of “just mounting CDROMs is suuurely safe”.
Other than that, that’s my mental model around them as well
-
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V -
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V@volpeon there's also WebSerial.
-
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V@volpeon@icy.wyvern.rip WEBYuri anyone?
-
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
-
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.@manawyrm @littlefox @volpeon fun fact, the iDRAC virtual console is (slightly modified) VNC over a websocket
-
@athenas @littlefox @volpeon Yes, there is access control with username/password or even LDAP, which might be used by badly informed users.
But yes, the correct response is to _ALWAYS_ firewall and heavily isolate BMCs, consider them hostile and dangerous at all times.
Their firmware is sooo shoddily written that they're basically remote code execution as a service.
@athenas @littlefox @volpeon @manawyrm inam reminded of int80s and travis goodspeeds antiforensics talks where they rewrote hard drive firmware to behave differently when they detected forensic sequential reads after a certain thresshold. 'hard drives are just tiny embedded linux devices'
-
@littlefox @manawyrm @volpeon You really don't.
-
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.@manawyrm @littlefox @volpeon Aaaaargh!
