WebUSBWebGPUWebPCIEWebNVMEWebSATAWebATX12V

@volpeon

WebSPI
WebBIOS
WebUEFI

@littlefox WebRing0

WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V

@volpeon

WebSPI
WebBIOS
WebUEFI

@manawyrm @volpeon tell me more. I crave more.

WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V

@littlefox @volpeon
*sigh*
OK, you wanted it:

AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).

How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.

@manawyrm @volpeon oh goth it's beautiful I love it

@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.

You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.

Imagine the rest of the story.

@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.

You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.

Imagine the rest of the story.

@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.

You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.

Imagine the rest of the story.

@manawyrm @littlefox @volpeon It sounds bad but is it really? If you have BMC access you would be able to do all sorts of evil things already.
Unless there is an ACL system which pretends this is “safe”…

@athenas @littlefox @volpeon Yes, there is access control with username/password or even LDAP, which might be used by badly informed users.

But yes, the correct response is to _ALWAYS_ firewall and heavily isolate BMCs, consider them hostile and dangerous at all times.

Their firmware is sooo shoddily written that they're basically remote code execution as a service.

WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V

WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V

WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V

@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.

You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.

Imagine the rest of the story.

@littlefox @volpeon
*sigh*
OK, you wanted it:

AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).

How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.

@athenas @littlefox @volpeon Yes, there is access control with username/password or even LDAP, which might be used by badly informed users.

But yes, the correct response is to _ALWAYS_ firewall and heavily isolate BMCs, consider them hostile and dangerous at all times.

Their firmware is sooo shoddily written that they're basically remote code execution as a service.

@manawyrm @volpeon tell me more. I crave more.