WebUSBWebGPUWebPCIEWebNVMEWebSATAWebATX12V

@manawyrm @littlefox @volpeon fun fact, the iDRAC virtual console is (slightly modified) VNC over a websocket

@littlefox @volpeon
*sigh*
OK, you wanted it:

AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).

How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.

@littlefox @volpeon
*sigh*
OK, you wanted it:

AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).

How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.

@littlefox @volpeon
*sigh*
OK, you wanted it:

AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).

How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.

@manawyrm @littlefox @volpeon not sure I fully understand, doesn't that mean the browser page with the ISO "upload" needs to stay open and active for the whole duration of what you're doing with the bootable image?

@funkylab @littlefox @volpeon Yes, that‘s right. It‘s being „streamed“ in real time from your browser, which also means that the speed is directly dependent on your latency to the server, because each sector read needs a command -> response interaction.

There wouldn‘t be any space anywhere for the BMC to store an entire ISO (not enough RAM or flash memory).

@manawyrm @littlefox @volpeon yeah I was wondering where images were stored, but assumed there must just be enough flash for that; I was wrong!

@funkylab @littlefox @volpeon some BMCs can also live stream images from HTTP, but that‘s an even more insane mechanism, where it generates HTTP requests on the fly for each sector (2048bytes) read from the CD.

Yes, one HTTP request per sector. It‘s a mini DDoS

@manawyrm @littlefox @volpeon well uefi specifies boot via HTTP https://uefi.org/specs/UEFI/2.11/24_Network_Protocols_SNP_PXE_BIS.html#http-boot ; there's an entirely (nah, let's go with homeopathically) reasonable world where the BMC acts as HTTP server, using as much of its own RAM as read cache as possible,to minimize that latency penalty (physical CD-ROM drives also benefit from locality, because seeking across half a disk is probably slower than awaiting replies from residential V.90 modems)

@funkylab @littlefox @volpeon

hahahahahaha, good joke

yeah, uefi http boot (and it’s support in practical devices) is mostly homeopathic. If you even dare think about things like IPv6 or modern webservers (something like nginx instead of a 17 year old Apache) it will just flat out refuse to work

the practical approach is to use the old PXE TFTP stuff to bootstrap something like iPXE and let it do HTTP from there.

@funkylab @littlefox @volpeon Yes, that‘s right. It‘s being „streamed“ in real time from your browser, which also means that the speed is directly dependent on your latency to the server, because each sector read needs a command -> response interaction.

There wouldn‘t be any space anywhere for the BMC to store an entire ISO (not enough RAM or flash memory).

@manawyrm @littlefox @volpeon well uefi specifies boot via HTTP https://uefi.org/specs/UEFI/2.11/24_Network_Protocols_SNP_PXE_BIS.html#http-boot ; there's an entirely (nah, let's go with homeopathically) reasonable world where the BMC acts as HTTP server, using as much of its own RAM as read cache as possible,to minimize that latency penalty (physical CD-ROM drives also benefit from locality, because seeking across half a disk is probably slower than awaiting replies from residential V.90 modems)

@littlefox @volpeon
*sigh*
OK, you wanted it:

AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).

How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.

@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.

You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.

Imagine the rest of the story.

@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.

You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.

Imagine the rest of the story.

@manawyrm @littlefox @volpeon Tell me the rest. I know SCSI only for all kind of storage (HDD, CD, Streamer) and Scanners.

@1000millimeter @manawyrm @volpeon sounds like it's rather easy to get buffer overflows and maybe even RCE via crafted malicious SCSI packets and while you usually have a hard time getting them onto an actual SCSI bus, via this websockets thing with broken authentication it's easy

@littlefox @1000millimeter @volpeon !