WebUSBWebGPUWebPCIEWebNVMEWebSATAWebATX12V
-
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V@volpeon@icy.wyvern.rip WEBYuri anyone?
-
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
-
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.@manawyrm @littlefox @volpeon fun fact, the iDRAC virtual console is (slightly modified) VNC over a websocket
-
@athenas @littlefox @volpeon Yes, there is access control with username/password or even LDAP, which might be used by badly informed users.
But yes, the correct response is to _ALWAYS_ firewall and heavily isolate BMCs, consider them hostile and dangerous at all times.
Their firmware is sooo shoddily written that they're basically remote code execution as a service.
@athenas @littlefox @volpeon @manawyrm inam reminded of int80s and travis goodspeeds antiforensics talks where they rewrote hard drive firmware to behave differently when they detected forensic sequential reads after a certain thresshold. 'hard drives are just tiny embedded linux devices'
-
@littlefox @manawyrm @volpeon You really don't.
-
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.@manawyrm @littlefox @volpeon Aaaaargh!
-
@littlefox @manawyrm @volpeon You really don't.
-
@littlefox @manawyrm @volpeon Some things just aren't healthy.
-
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12VWebMMIO to rule all of them!
-
@littlefox @manawyrm @volpeon Some things just aren't healthy.
-
@littlefox @manawyrm @volpeon Fair enough.
I've worked on some storage in my day and I have seen some shady shit ... but that kludge is horrific.
-
@littlefox @manawyrm @volpeon Fair enough.
I've worked on some storage in my day and I have seen some shady shit ... but that kludge is horrific.
@elfin @littlefox @volpeon Littlefox knows me long enough to know that when I say: „oh god“, things are really bad
🤭 -
@elfin @littlefox @volpeon Littlefox knows me long enough to know that when I say: „oh god“, things are really bad
🤭 -
-
@volpeon WebSCSI!
(actually exists, curtesy of American Megatrends) -
@manawyrm @littlefox @volpeon fun fact, the iDRAC virtual console is (slightly modified) VNC over a websocket
@awooo @manawyrm @littlefox @volpeon
Back in my days it was a Java Web Start app.And it also allowed you to pick an ISO, and IIRC it also didn't have a progress bar indicating that the ISO is being uploaded...
-
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.@manawyrm @littlefox @volpeon that's a small improvement. It used to be over TCP with RC4 and broken auth. https://eclypsium.com/research/virtual-media-vulnerability-in-bmc-opens-servers-to-remote-attack/
-
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system. -
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.@manawyrm @littlefox @volpeon not sure I fully understand, doesn't that mean the browser page with the ISO "upload" needs to stay open and active for the whole duration of what you're doing with the bootable image?
-
@manawyrm @littlefox @volpeon not sure I fully understand, doesn't that mean the browser page with the ISO "upload" needs to stay open and active for the whole duration of what you're doing with the bootable image?
@funkylab @littlefox @volpeon Yes, that‘s right. It‘s being „streamed“ in real time from your browser, which also means that the speed is directly dependent on your latency to the server, because each sector read needs a command -> response interaction.
There wouldn‘t be any space anywhere for the BMC to store an entire ISO (not enough RAM or flash memory).
