Breaking BMC: The Forgotten Key to the Kingdom

Conference:  Defcon 31


Authors:   Alex Tereshkin Principal System Software Engineer (Offensive Security), NVIDIA, Adam Zabrocki Distinguished Engineer (Offensive Security), NVIDIA


The Baseboard Management Controller (BMC) is a specialized microcontroller embedded on the motherboard, typically used in servers and other enterprise-level hardware. The security of the BMC is critical to the overall security of the system, as it provides a privileged level of access and control over the hardware components of the system, including the ability to perform firmware updates, and even power the system on and off remotely. When the internal offensive security research team was analyzing one of the NVIDIA hardware, they detected several remotely exploitable bugs in AMI MegaRAC BMC. Moreover, various elevations of privileges and "change of scope" bugs have been identified, many of which may be chained together resulting in a highest severity security issue. During this talk we would like to take you on the journey of the whole attack sequence: from having zero knowledge about a remote AMI BMC with enabled IPMI (yeah, right) to flashing a persistent firmware implant to the server SPI flash. The chain will be about a dozen bugs long, so buckle up.