A new research sheds light on a severe vulnerability that affects Quanta Cloud Technology servers. The vulnerability, known as Pantsdown and CVE-2019-6260, could cause malicious code execution attacks.
According to Eclypsium researchers, the flaw was discovered in 2019, affecting multiple firmware BMC (Baseboard Management Controller) stacks including AMI, SuperMicro, as well as OpenBMC versions up to version 2.6. The CVE-2019-6260 vulnerability could enable arbitrary read and write access to the BMC’s physical address space from the host, thus making it possible for an attacker to overwrite the existing BMC firmware, execute malicious code, and disable the device, the report said. The flaw’s rating is 9.8 out of 10 on the CVSS scale, making it a highly critical issue.
What Is BMC (Baseboard Management Controller)?
BMC can be described as a specialized service processor designed to monitor the physical state of a computer, network server or other hardware device via sensors. It also communicates with the system administrator through an independent connection. In other words, the system is used to controlling low-level hardware settings and installing firmware and software updates.
How Can CVE-2019-6260 Be Exploited?
Using CVE-2019-6260’s ability to read and write to memory, the researchers successfully patched the web server code while it was running in memory on the BMC, and replaced it with their own malicious code to trigger a reverse shell whenever a user refreshes the webpage or connects to the web server.
“This is only one example of many possible techniques that would allow an attacker to move from the host operating system and gain code execution within the BMC,” the researchers added. It is noteworthy that the researchers’ proof-of-concept code required root access on the physical server, which is routinely provided by default when renting a bare-metal server. Furthermore, an attacker could obtain root access by leveraging a web-facing application and escalating privileges, or exploiting any service already running with root.
The steps to exploit the Pantsdown vulnerability would look like this:
1.Attacker gains a foothold on the target server. Confirm there is a vulnerable BMC inside.
2.Dump the BMC RAM via CVE-2019-6260, then use memory forensics techniques to find running processes and binaries such as Lighttpd. Lighttpd is an open source web server the BMC uses.
3.Reverse Lighttpd in order to find the location of the connection_accept() function, which is called whenever a new connection is established to the web server.
4.Modify the BMC RAM via CVE-2019-6260 to replace the connection_accept() code with our own code that includes a reverse shell.
5.Trigger the reverse shell by connecting to the webpage, or simply wait for a sysadmin to access the webpage.
The vulnerability was disclosed to the vendor in October last year, and a patch was released privately to customers on April 15 2022.