The Unbearable Lightness of BMCs

Presented at ekoparty 14 (2018), Sept. 27, 2018, 11:10 a.m. (50 minutes)

Welcome to a data centre! A place where air conditioning never stops running, and the long line of tiny, red and blue LEDs dance chaotically in tune with endless coolers, sounding at unisone.

One thing is for sure, everyone avoids data centres. And, as one of the greatest leaders of our era once said "behind every need, there is a right" (in this case a product)

Welcome to the world of the Out of Band Power Management devices, where vendors decide to set an extra microprocessor in the motherhood, so as to allow monitoring temperature, coolers and power, in a remote way.

We decided to take a look at these devices and what we found was even worse than expected. Vulnerabilities dating back to the 90s, remote code executions 100% reliable, and the possibility of moving bidirectionally between server and BMC, making it, not only the ideal tool for lateral movement, but also the perfect backdoor.


  • Nico Waisman
    Nico Waisman started researching the offensive aspect of cyber security 20 years ago, gaining experience in all areas, from analysis of vulnerabilities, to troyans development. Nico is an international expert in the heap overflow development and has taught to government and commercial sectors all over the world, presenting some of his investigations in conferences like BlackHat, PacSec, Syscan, Ekoparty and many others. Currently, Nico is an Immunity Vicepresident where he handles South America Offices.
  • Matías Soler
    Matías Sebastián Soler has been working at Immunity since 2009, where he has developed varied tasks, such as exploit development, reversing, research and consultancy. Matías has dictated multiple courses of binary exploitation and web. He has experience in the offensive as well as defensive field of informatics security.


Similar Presentations: