Script http-vuln-cve2017-5689

Script types: portrule
Categories: vuln, auth, exploit
Download: https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5689.nse

Script Summary

Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability (CVE2017-5689).

This script determines if a target is vulnerable by attempting to perform digest authentication with a blank response parameter. If the authentication succeeds, a HTTP 200 response is received.

References:

• https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

Script Arguments

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -p 16992 --script http-vuln-cve2017-5689 <target>

Script Output

PORT      STATE SERVICE       REASON
16992/tcp open  amt-soap-http syn-ack
| http-vuln-cve2017-5689:
|   VULNERABLE:
|   Intel Active Management Technology INTEL-SA-00075 Authentication Bypass
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-5689  BID:98269
|     Risk factor: High  CVSSv2: 10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C)
|       Intel Active Management Technology is vulnerable to an authentication bypass that
|       can be exploited by performing digest authentication and sending a blank response
|       digest parameter.
|
|     Disclosure date: 2017-05-01
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689
|       https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
|       http://www.securityfocus.com/bid/98269
|       https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
|       https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability
|_      https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

Requires

• string
• http
• shortport
• vulns
• rand

---

Author:

• Andrew Orr

License: Same as Nmap--See https://nmap.org/book/man-legal.html