Intel AMT vulnerability script

Automation Scripts - Library - (ITarian will write
1

Would be great to have a script to gather back reports of what machines may be vulnerable to the Intel AMT vulnerability. Here’s a link to the Labtech equivalent script someone published on Reddit:

https://www.reddit.com/r/msp/comments/69zxr4/intel_meamt_exploit_nearly_all_of_our_servers_and/

2

Hi @indieserve

Let us analyze your request and come up with solutions.

Thanks

3

Hi @indieserve,

By the reference of official guide of Intel https://downloadmirror.intel.com/26755/eng/INTEL-SA-00075%20Detection%20Guide%20rev_1.3.pdf, We have prepared a script that will do the followings,

Steps:

  • Downloads the package from the link, https://downloadcenter.intel.com/download/26755
  • Installs the package on your endpoint
  • Runs the installed program to analyze and collect the report
  • Displays the collected reports on the execution log
  • Uninstall the tool
  • Removes the downloaded packages
Note: Run the script as System User

Requirements:
Microsoft* .NET Runtime 4.0

Limitation:
Collects only from Microsoft Windows 7, 8, 8.1 or 10

def ecmd(CMD, r=False):
    import ctypes
    class disable_file_system_redirection:
        _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
        _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
        def __enter__(self):
            self.old_value = ctypes.c_long()
            self.success = self._disable(ctypes.byref(self.old_value))
        def __exit__(self, type, value, traceback):
            if self.success:
                self._revert(self.old_value)
    from subprocess import PIPE, Popen
    with disable_file_system_redirection():
        OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)
    out, err = OBJ.communicate()
    ret=OBJ.returncode
    if r:
        return ret
    else:            
        if ret==0:
            return out
        else:
            return ret
import os
import urllib2
url='https://downloadmirror.intel.com/26755/eng/discoveryToolInstaller_1.0.1.39.msi'
fn=url.split('/')[-1]
temp=os.environ['TEMP']
down=urllib2.urlopen(url)
if down.code==200:
    fp=os.path.join(temp, fn)
    with open(fp, 'wb') as wr:
        wr.write(down.read())
    if os.path.isfile(fp):
        inst=ecmd('msiexec /i "%s" /qn'%fp, True)
        if inst==0:
##            print 'installed'
            if 'PROGRAMFILES(X86)' in os.environ.keys():
##                print 'x64'
                pf=os.path.join(os.environ['PROGRAMFILES(X86)'], 'Intel','Intel-SA-00075 Discovery Tool','Windows','Intel-SA-00075-console.exe')
            else:
##                print 'x86'
                pf=os.path.join(os.environ['PROGRAMFILES'], 'Intel','Intel-SA-00075 Discovery Tool','Windows','Intel-SA-00075-console.exe')
            print ecmd('"%s" -n -d 0'%pf)
            unin=ecmd('msiexec /x "%s" /qn'%fp, True)
            if unin==0:
##                print 'uninstalled'
                os.remove(fp)
            else:
                print 'error on uninstallation', unin
        else:
            print 'error on installation', inst

Script to Import:

Sample Output:

Additional Information for your understanding of the output [Copied from the Guide given above]:

  • Vulnerable: The system has a vulnerable manageability firmware version, firmware needs to be updated
  • Not Vulnerable: The system meets the “Not Vulnerable” criteria described in the Identifying vulnerable systems using the INTEL-SA-00075 Discovery Tool section of the document.
  • Not Vulnerable (verify configuration): The system has the firmware with the fix for INTEL-SA-00075, but if the system was provisioned prior to the firmware update, an attacker using the known vulnerability may have changed the manageability configuration. There is a limited amount of verification that can be done through reviewing the Intel manageability SKU audit log. A full unprovision, reprovision of the manageability SKU will remove unauthorized configuration settings.
  • Check With OEM: The information in the SMBIOS from the OEM shows a manageability SKU, but the Discovery Tool did not receive a response when requesting detailed data from your computer. This may be caused by a missing Management Engine interface driver. Consult your OEM to find out if your computer model is affected.
  • Unknown: Discovery Tool did not receive a valid response when requesting hardware inventory data from your computer. Consult your OEM to find out if your computer model is affected
For any clarification, please let us know as soon as possible.

Thank you.

20170512-Intel-AMT-vulnerability-Script-Intel-SA-00075.json (3.06 KB)

Screenshot_1.png
Screenshot_1.png827×626 32.4 KB
4

Thanks Purushothaman!

5

Hi @indieserve,

You are very welcome :slight_smile: