Intel AMT Exploit Explained - CVE-2017-5689 [27/09/2017]

    Earlier this year a bug in the Intel Active Management Technology or Intel AMT for short this exploit was disclosed to Intel and a patch/update was avaliable however many people may not update there firmware to fix this as this is an out of band exploit which means that the exploit is on the hardware outside of the operating systems control and "vision".

    So this is what the code roughtly looks like (Code was reverse-engenierd but is accurate enought for explation)

    if(strncmp(computed_response, user_response, response_length))
        deny_access();

    If you are familar with the C lanuage you can see that this function checks the the user_response variable against the length of the response_length so if you sent "hello" it would check that "hello" is 5 character's long> However the attack works by sending no password or hash to compare so rather than this function checking that the user input is vaild it checks 0 bytes because no input was sent. There are various ways that this could have been prevented in the code such as checking that there were more than 0 bytes of data to check against.

    So in summary the Intel AMT firmware doesn't check the user input makes sense and if you send no data it will log you in rather than giving you an access denied message.