new blogpost! i hacked a Brother labelmaker.. or was it a Brother? (it’s complicated. what matters is that we have RCE!)

read it here: https://sdomi.pl/weblog/20-pwning-a-labelmaker/

@domi 2.6.32 is almost modern compared to Supermicro's BMC

@th oh gawd. you literally went “i see your ancient artifact, and i raise my own”

also nice, same arch!

Follow

@domi code execution on the Supermicro BMC was easier than your printer. the serial console prints "Press enter to login" and drops you to a root shell without any password. Dell iDRAC on the r630 does the same thing, although it had at least a 3.3 kernel.

@th @domi In my experience with Supermicros (at least on earlier ones without BMC secure boot), without even opening up the chassis it's also pretty easy to unpack a firmware image, replace the useless SMASH CLP shell with a symlink to a real shell, re-pack/install/boot, and then just ssh into it.

@zev @th @domi now how to work out if my Asus and AsrockRack boards use secure boot without breaking anything (AMI MegaRac/SMASH CLP)

@voltagex @zev @th my main server (sakamoto) is on an asrockrack motherboard, with an asmedia BMC; i haven’t tried replacing the image (yet), but from my limited tinkering, I think you should be able to replace the stuff in the image quite easily. the web updater also expects raw rom dumps, so i doubt it’s doing checks?

@voltagex @th @zev (altho YMMV and you’ll need to check this yourself :p i’m considering getting one of those asmedia BMCs on a PCIe card, sounds like something i would enjoy hacking)

@domi thanks domi. I just grabbed an Asrock PAUL (lol) second hand and I rate your chances of success higher than mine

I think postage would be prohibitive from Australia though.

@zev @th

@voltagex @domi @zev @th One of people at OSFC stand at FOSDEM showcased ASRock PAUL BMC board running OpenBMC

https://github.com/openbmc/openbmc

@domi @voltagex @th For the in-band firmware update mechanism (i.e. through the BMC's web interface), the *.ima files ASRock uses are yes, a raw flash image, but typically with a footer appended with some additional little bits (checksums of some sort, perhaps?) that I think its update machinery may actually verify, though I'm not certain.

However, you can probably bypass that by blasting new firmware in from the host via @arj's nifty tool culvert.

@zev @domi @th @arj am I about to brick a $1000 board? Probably, but I'm going to RMA it for a broken 10 gig port first.

@voltagex @th @domi Having worked with a decent number of ASRock Rack boards, I've yet to encounter one that uses secure boot -- a handful of recent-ish ones are also now supported (to varying degrees) in mainline OpenBMC, FWIW. (I've never dealt with any Asus systems.)

Sign in to participate in the conversation
(void *) social site

(void*)