WebUSBWebGPUWebPCIEWebNVMEWebSATAWebATX12V
-
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V@volpeon WebAM5
-
@volpeon WebGDDR6
-
WebSPI
WebBIOS
WebUEFI -
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V@volpeon@icy.wyvern.rip Web12VHPWR
OH GOD ITS BURNING -
if you don't know more details: be thankful for that and pretend you didn't hear anything.
if you do know more details: i'm truely sorry for you.
-
if you don't know more details: be thankful for that and pretend you didn't hear anything.
if you do know more details: i'm truely sorry for you.
-
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V@volpeon@icy.wyvern.rip Power over WebSocket
-
WebSPI
WebBIOS
WebUEFI@littlefox WebRing0
-
@littlefox WebRing0
@volpeon WebSMM
-
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V@volpeon@icy.wyvern.rip WebExpressCard
-
WebSPI
WebBIOS
WebUEFI -
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system. -
WebUSB
WebGPU
WebPCIE
WebNVME
WebSATA
WebATX12V@volpeon@icy.wyvern.rip WebDOCSIS
-
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system. -
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
-
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
-
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
@manawyrm @littlefox @volpeon It sounds bad but is it really? If you have BMC access you would be able to do all sorts of evil things already.
Unless there is an ACL system which pretends this is “safe”… -
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
@manawyrm this is beautiful o.o
-
@manawyrm @littlefox @volpeon It sounds bad but is it really? If you have BMC access you would be able to do all sorts of evil things already.
Unless there is an ACL system which pretends this is “safe”…@athenas @littlefox @volpeon Yes, there is access control with username/password or even LDAP, which might be used by badly informed users.
But yes, the correct response is to _ALWAYS_ firewall and heavily isolate BMCs, consider them hostile and dangerous at all times.
Their firmware is sooo shoddily written that they're basically remote code execution as a service.
-
@athenas @littlefox @volpeon Yes, there is access control with username/password or even LDAP, which might be used by badly informed users.
But yes, the correct response is to _ALWAYS_ firewall and heavily isolate BMCs, consider them hostile and dangerous at all times.
Their firmware is sooo shoddily written that they're basically remote code execution as a service.
@manawyrm @littlefox @volpeon I was thinking of fine-grained ACL, where somebody could get the idea of “just mounting CDROMs is suuurely safe”.
Other than that, that’s my mental model around them as well
