Skip to content

Instantly share code, notes, and snippets.

@DavidWittman
Last active January 27, 2022 20:02
Show Gist options
  • Save DavidWittman/0ada4bf78ca923711ba9 to your computer and use it in GitHub Desktop.
Save DavidWittman/0ada4bf78ca923711ba9 to your computer and use it in GitHub Desktop.
This expect script secures SuperMicro IPMI implementations which are vulnerable to viewing the IPMI password in plaintext on port 49152.
#!/usr/bin/expect -f
# This script secures SuperMicro IPMI implementations which are vulnerable
# to viewing the IPMI password in plaintext on port 49152. It does this by
# using the shell available in some SuperMicro BMCs to drop traffic to port
# 49152 in iptables.
#
# See http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
# for more details on the vulnerability.
#
# Usage ./supermicro-psblock-fix.expect $IPMI_HOST <$IPMI_PASSWORD>
# e.g. ./supermicro-psblock-fix.expect 10.0.0.2
# ./supermicro-psblock-fix.expect 10.0.0.2 PASSWORD123
set timeout 30
set IPMI [lindex $argv 0]
set PASSWORD [lindex $argv 1]
set USER ADMIN
set PROMPT ->
set PORT 49152
# Default password to "ADMIN" (SuperMicro default) if one isn't passed in
if { [string length $PASSWORD] == 0 } {
set PASSWORD ADMIN
}
spawn ssh -o StrictHostKeyChecking=no $USER@$IPMI
expect "password: "
send -- "$PASSWORD\r"
expect {
"#" {
# In most cases, the BMCs which drop straight a shell do not support
# using the TCP module for iptables, which is no bueno.
puts "\nERROR: Unsupported firmware version."
exit 1
}
-exact $PROMPT {}
}
send -- "shell sh\r"
expect {
"#" {
send -- "iptables-save | grep -q '\\-A INPUT -p tcp -m tcp --dport $PORT -j DROP' && echo 'OK'\r"
expect {
"OK\r\n#" {
puts "\niptables rule is already in place."
}
"#" {
send -- "iptables -I INPUT -m tcp -p tcp --dport $PORT -j DROP\r"
expect "#"
send -- "iptables-save > /nv/ipctrl/rultbl.sav\r"
expect "#"
puts "\nSuccessfully blocked port $PORT in iptables!"
}
}
}
"shell command not support now." {
puts "\nERROR: Accessing the shell is not available on this BMC."
exit 1
}
timeout {
puts "\nERROR: Timeout accessing shell on the BMC."
exit 1
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment