Last active
January 27, 2022 20:02
-
-
Save DavidWittman/0ada4bf78ca923711ba9 to your computer and use it in GitHub Desktop.
This expect script secures SuperMicro IPMI implementations which are vulnerable to viewing the IPMI password in plaintext on port 49152.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/expect -f | |
# This script secures SuperMicro IPMI implementations which are vulnerable | |
# to viewing the IPMI password in plaintext on port 49152. It does this by | |
# using the shell available in some SuperMicro BMCs to drop traffic to port | |
# 49152 in iptables. | |
# | |
# See http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/ | |
# for more details on the vulnerability. | |
# | |
# Usage ./supermicro-psblock-fix.expect $IPMI_HOST <$IPMI_PASSWORD> | |
# e.g. ./supermicro-psblock-fix.expect 10.0.0.2 | |
# ./supermicro-psblock-fix.expect 10.0.0.2 PASSWORD123 | |
set timeout 30 | |
set IPMI [lindex $argv 0] | |
set PASSWORD [lindex $argv 1] | |
set USER ADMIN | |
set PROMPT -> | |
set PORT 49152 | |
# Default password to "ADMIN" (SuperMicro default) if one isn't passed in | |
if { [string length $PASSWORD] == 0 } { | |
set PASSWORD ADMIN | |
} | |
spawn ssh -o StrictHostKeyChecking=no $USER@$IPMI | |
expect "password: " | |
send -- "$PASSWORD\r" | |
expect { | |
"#" { | |
# In most cases, the BMCs which drop straight a shell do not support | |
# using the TCP module for iptables, which is no bueno. | |
puts "\nERROR: Unsupported firmware version." | |
exit 1 | |
} | |
-exact $PROMPT {} | |
} | |
send -- "shell sh\r" | |
expect { | |
"#" { | |
send -- "iptables-save | grep -q '\\-A INPUT -p tcp -m tcp --dport $PORT -j DROP' && echo 'OK'\r" | |
expect { | |
"OK\r\n#" { | |
puts "\niptables rule is already in place." | |
} | |
"#" { | |
send -- "iptables -I INPUT -m tcp -p tcp --dport $PORT -j DROP\r" | |
expect "#" | |
send -- "iptables-save > /nv/ipctrl/rultbl.sav\r" | |
expect "#" | |
puts "\nSuccessfully blocked port $PORT in iptables!" | |
} | |
} | |
} | |
"shell command not support now." { | |
puts "\nERROR: Accessing the shell is not available on this BMC." | |
exit 1 | |
} | |
timeout { | |
puts "\nERROR: Timeout accessing shell on the BMC." | |
exit 1 | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment