fun fact: if you have a laptop or desktop that has an intel cpu with "vPro" on the sticker there's a chance the management engine in your CPU is just hosting a web server at all times.
It's at port 16992
Conversation
Notices
-
Embed this notice
number 1 duke fan :duke: :duke: (i_lost_my_bagel@mastodon.lilysthings.org)'s status on Sunday, 07-Apr-2024 14:56:18 JST 
number 1 duke fan :duke: :duke:
- Haelwenn /элвэн/ :triskell: and narcolepsy and alcoholism :flag: like this.
-
Embed this notice
13 barn owls in a trenchcoat (hauntedowlbear@eldritch.cafe)'s status on Sunday, 07-Apr-2024 14:56:16 JST 
13 barn owls in a trenchcoat
@i_lost_my_bagel integrated remote KVM functionality from boot seems like an amazing idea until https://mjg59.dreamwidth.org/48429.html
-
Embed this notice
13 barn owls in a trenchcoat (hauntedowlbear@eldritch.cafe)'s status on Sunday, 07-Apr-2024 15:00:51 JST
13 barn owls in a trenchcoat
@i_lost_my_bagel haha, I just edited to add a similar sentiment. Full remote access, just built in, with no extra hardware or licence is p great.)
-
Embed this notice
number 1 duke fan :duke: :duke: (i_lost_my_bagel@mastodon.lilysthings.org)'s status on Sunday, 07-Apr-2024 15:00:53 JST
number 1 duke fan :duke: :duke:
@HauntedOwlbear yeah... I will say though. I used this laptop as a server for a bit and it was so so useful.
-
Embed this notice
Speaktrap (speaktrap@mastodon.social)'s status on Monday, 08-Apr-2024 02:12:20 JST 
Speaktrap
@i_lost_my_bagel At least it greatly increases Minix userbase (Intel ME still is based on Minix, no?)
Polychrome :blabcat: likes this. -
Embed this notice
Polychrome :blabcat: (polychrome@poly.cybre.city)'s status on Monday, 08-Apr-2024 05:46:30 JST 
Polychrome :blabcat:
@samebchase @Sqaaakoi @i_lost_my_bagel I've asked a network engineer friend to make sure, and this is how it works:
While active, port 16992 cannot be used by the OS because the IME intercepts all communications to it.
If the OS can access the IME over localhost:16992 then it's because the OS has a passthrough driver.
Generally the right way to do things is to allocate a separate address for the IME rather than use the same address as the OS. This frees the port on the OS and ensues there won't be any conflict with anything that tries to grab it. Apparently the IME can have its own MAC address via internal bridging on the NIC.
If for whatever reason you can't disable the IME and/or its webserver you can take it off the network by using your own PCI network card instead of the built-in one. The IME should not be able to access the network card that isn't part of the chipset, effectively isolating it.
Some corporate networks use that approach for extra security: Connect the IME to an internal management-only network via the built-in ethernet chipset, and a PCI card for actual work network access. -
Embed this notice
Sqaaakoi :flagEnby: (sqaaakoi@wetdry.world)'s status on Monday, 08-Apr-2024 05:46:34 JST 
Sqaaakoi :flagEnby:
@samebchase @i_lost_my_bagel Not what I asked. (I already knew what it was.) I am wondering how it manages to expose ports on the main system OS' localhost.
-
Embed this notice
Samuel Chase (samebchase@fantastic.earth)'s status on Monday, 08-Apr-2024 05:46:34 JST 
Samuel Chase
@Sqaaakoi @i_lost_my_bagel ah right, sorry I must have misinterpreted what you were asking and assumed that you were not aware of IME. My apologies.
Now, even I am wondering the same thing... 🤔
-
Embed this notice
Samuel Chase (samebchase@fantastic.earth)'s status on Monday, 08-Apr-2024 05:46:38 JST
Samuel Chase
@Sqaaakoi @i_lost_my_bagel Management Engine is essentially an entire OS (Minix) running /on/ the CPU.
So pretty much every computer out there is running two OSes at all times.
-
Embed this notice
Sqaaakoi :flagEnby: (sqaaakoi@wetdry.world)'s status on Monday, 08-Apr-2024 05:46:39 JST
Sqaaakoi :flagEnby:
@i_lost_my_bagel how the hell does that work in the OS? localhost should be handled by the OS, right? so how would that work
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
djsumdog (djsumdog@djsumdog.com)'s status on Monday, 08-Apr-2024 07:07:55 JST 
djsumdog
vPro has been around since the early 2000s. I didn't know it just keeps a web server running now though. I wonder if that's from the ME chip itself, or if it's from the chipset drivers ... it would almost certainly have to be the chipset drivers if connecting to localhost -
Embed this notice
Hoss Delgado (hoss@shitpost.cloud)'s status on Monday, 08-Apr-2024 07:07:56 JST 
Hoss Delgado
This what the glowies use? -
Embed this notice
number 1 duke fan :duke: :duke: (i_lost_my_bagel@mastodon.lilysthings.org)'s status on Monday, 08-Apr-2024 07:07:57 JST
number 1 duke fan :duke: :duke:
Intel Management Engine AMT KVM in action
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 08-Apr-2024 11:30:02 JST 
翠星石
@djsumdog >I wonder if that's from the ME chip itself, or if it's from the chipset drivers ... it would almost certainly have to be the chipset drivers if connecting to localhost
The ME runs MINIX and contains a web server as well as remote control functionality and even the ability to rewrite the storage medium when the computer is meant to be "off" (definitely not a frontdoor).
"vPro" requires an intel NIC chipset, which gives the ME its own MAC address and allows it to be accessed via the standard method, but otherwise doesn't require any chipset drivers to function. -
Embed this notice
djsumdog (djsumdog@djsumdog.com)'s status on Monday, 08-Apr-2024 12:15:48 JST
djsumdog
So I knew about the Minix (and I think some newer boards have their own SoC chip just for ME). I was just wondering how it appeared as localhost in the video. The ME gets its own IP address (and on server boards, it often runs on a different physical Ethernet port), right? -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 08-Apr-2024 12:36:53 JST
翠星石
@djsumdog >I think some newer boards have their own SoC chip just for ME
Nope.
The ME in 2008 and before ran on an ARC processor built into the NIC chip, but later versions run on a dedicated x86 core built into the CPU substrate - so no SoC to speak of.
>The ME gets its own IP address right?
Yes, otherwise it would conflict with the computer trying to listen on port 16992.
>and on server boards, it often runs on a different physical Ethernet port
I can't find any details on this, but I guess?
A different physical port probably won't make much difference security wise if one Ethernet chipset is handling the ports.djsumdog likes this. -
Embed this notice
Fediverse Contractor (bot@seal.cafe)'s status on Tuesday, 09-Apr-2024 01:12:33 JST 
Fediverse Contractor
Seems p sus... :blobcatcomfthink: -
Embed this notice
johann150@genau.qwertqwefsday.eu's status on Tuesday, 23-Jul-2024 06:18:40 JST 
Johann150
@i_lost_my_bagel@mastodon.lilysthings.org fucking hell
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
number 1 duke fan :duke: :duke: (i_lost_my_bagel@mastodon.lilysthings.org)'s status on Tuesday, 23-Jul-2024 06:19:29 JST
number 1 duke fan :duke: :duke:
@alinanorakari if AMT is enabled it requires you to have the windows drivers ONLY TO SEE THE WEB INTERFACE ON THE LOCALHOST. If it's enabled you can still go to the web interface from any other machine by going to the IP.
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Alina Norakari (alinanorakari@broken.graphics)'s status on Tuesday, 23-Jul-2024 06:19:30 JST 
Alina Norakari
@i_lost_my_bagel does this require Windows? My localhost thankfully doesn't react to requests on that port but I'm also running Linux
-
Embed this notice
veast (veast@mstdn.social)'s status on Tuesday, 23-Jul-2024 06:20:22 JST 
veast
@i_lost_my_bagel Oh yeah, AMT! This has a terrible exploit where you can logon with no password.
I exploited it on my friend's server once.
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 23-Jul-2024 06:22:24 JST 
Haelwenn /элвэн/ :triskell:
@Johann150 @i_lost_my_bagel Now I have an awful question, can regular websites reach it via XHR/Fetch or heck iframes/forms? -
Embed this notice
johann150@genau.qwertqwefsday.eu's status on Tuesday, 23-Jul-2024 06:25:41 JST
Johann150
@lanodan@queer.hacktivis.me @i_lost_my_bagel@mastodon.lilysthings.org iframe works
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
djsumdog (djsumdog@djsumdog.com)'s status on Tuesday, 23-Jul-2024 09:49:07 JST
djsumdog
Yes, that sounds right. It's been a long time since I've worked in a data centre, but if I remember correctly, we had a whole separate set of switches just for the management network (I think we put ME and HP iLO on that network. We didn't have any iDRAC/Dell). They had their own IP ranges and the networking guy used jump boxes (I think he had two for redundancy) if he needed to get to the management network. I want to say the ME adapters were red and the iLO ones were green? .. they're usually a different color than the primary NIC. We also had separate storage networks that weren't shared with anything either. The main network had vLAN tagging for data, VoIP and some other crap. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Tuesday, 23-Jul-2024 09:49:08 JST 
LisPi
@Suiseiseki @djsumdog On servers there's usually a dedicated management port, yes, and on mine I don't think it's handled by the same chipset either.
In any case even if it were a single chipset, if it only listened to the network on the dedicated physical port and no other, abusing the built-in proprietary malware would be much more difficult.
All GNU social JP content and data are available under the