Intel® Active Management Technology

May 10, 2017 16:15

The part where the call to strncmp() occurs seems most interesting here:

if (strncmp(computed_response, user_response, response_length))
exit(0x99);
The value of the computed response, which is the first argument, is being tested against the one that is provided by user, which is the second argument, while the third argument is the length of the response. It seems quite obvious that the third argument of strncmp() should be the length of computed_response, but the address of the stack variable response_length, from where the length is to be loaded, actually points to the length of the user_response!
Given an empty string the strncmp() evaluates to zero thus accepting and invalid response as a valid one.

https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf

backdoor

Previous post Next post
Up