Administered by:
fun fact: if you have a laptop or desktop that has an intel cpu with "vPro" on the sticker there's a chance the management engine in your CPU is just hosting a web server at all times.
It's at port 16992
@Sqaaakoi@i_lost_my_bagel how the hell does that work in the OS? localhost should be handled by the OS, right? so how would that work
@Sqaaakoi @i_lost_my_bagel Management Engine is essentially an entire OS (Minix) running /on/ the CPU.
So pretty much every computer out there is running two OSes at all times.
@Sqaaakoi@wetdry.world@samebchase @i_lost_my_bagel Not what I asked. (I already knew what it was.) I am wondering how it manages to expose ports on the main system OS' localhost.
@Sqaaakoi @i_lost_my_bagel ah right, sorry I must have misinterpreted what you were asking and assumed that you were not aware of IME. My apologies.
Now, even I am wondering the same thing... 
@samebchase @Sqaaakoi @i_lost_my_bagel ME is inspecting your traffic before it's handed to the OS, and if it sees TCP ports that it uses, it processes that. You can give ME a different IP address from what the OS uses, but by default it just shares the IP.
@jernej__s @samebchase @Sqaaakoi @i_lost_my_bagel But localhost traffic never hits the bus; it’s entirely in memory via the loopback device. Is the idea here that IME is hijacking the loopback driver functions somehow? Or is that port actually exposed on localhost by some Windows vPro driver?
@overhacked @jernej__s @samebchase @Sqaaakoi there's a windows driver that exposes it on localhost. Without a driver you can't access it on the local machine. Booted up macOS on the laptop since I know it has absolutely no AMT drivers and I couldn't access it.
I can still access it from other computers though so it's still running.
@overhacked @jernej__s @samebchase @Sqaaakoi surprisingly macOS CAN see the virtual serial connection which I definitely wasn't expecting
@overhacked @jernej__s @samebchase @Sqaaakoi surprised the serial over lan actually works with macOS
@Polychrome@poly.cybre.cityWhile active, port 16992 cannot be used by the OS because the IME intercepts all communications to it.
If the OS can access the IME over localhost:16992 then it's because the OS has a passthrough driver.
Generally the right way to do things is to allocate a separate address for the IME rather than use the same address as the OS. This frees the port on the OS and ensues there won't be any conflict with anything that tries to grab it. Apparently the IME can have its own MAC address via internal bridging on the NIC.
If for whatever reason you can't disable the IME and/or its webserver you can take it off the network by using your own PCI network card instead of the built-in one. The IME should not be able to access the network card that isn't part of the chipset, effectively isolating it.
Some corporate networks use that approach for extra security: Connect the IME to an internal management-only network via the built-in ethernet chipset, and a PCI card for actual work network access.
@privateger@plasmatrap.com@Sqaaakoi@wetdry.world @samebchase@fantastic.earth @i_lost_my_bagel@mastodon.lilysthings.org It doesn't. It uses the NIC directly (vPro devices have Intel NICs), none of this traffic will ever reach the main OS. It's entirely handled by the coprocessor.
@privateger@plasmatrap.com@Sqaaakoi@wetdry.world @samebchase@fantastic.earth @i_lost_my_bagel@mastodon.lilysthings.org However, loopback still uses the same NIC, so you can access it regardless.
@privateger@plasmatrap.com@novenary@akko.wtf @Sqaaakoi@wetdry.world @i_lost_my_bagel@mastodon.lilysthings.org @samebchase@fantastic.earth I may be stupid. 
vPro is going to run anyway. Some features of it are part of the ME, some are at user level.
If you hit on the OS loopback, there's probably something also running on your OS. Maybe a management daemon that comes installed? You'd be correct in that it _doesn't_ use the NIC there.
The out of band stuff most people will be using vPro for though is part of the ME.
the remote administration stuff is there of course but I sure hope it's not exposed to the network by default
@jeder@miau.jeder.pl@novenary @privateger @Sqaaakoi @i_lost_my_bagel @samebchase it's not, at least on my home server, i had to enable it myself
@novenary @samebchase @i_lost_my_bagel @privateger @Sqaaakoi
Isn’t that the entire point? (This being accessible from elsewhere)
@privateger@plasmatrap.com@novenary@akko.wtf @Sqaaakoi@wetdry.world @i_lost_my_bagel@mastodon.lilysthings.org @samebchase@fantastic.earth
The management engine of all modern Intel CPUs has:
- full direct memory access
- full TCP stack access
- receive and send network packets bypassing the OS
- cannot be disabled past Core2 CPUs
It's a dedicated chip running MINIX, has a dedicated connection to the NIC and is part of the chipset.
The scary parts, the Active Management Engine, claims these ports:
- 16992 (SOAP/HTTP)
- 16993 (SOAP/HTTPS)
- 16994 (Redirection/TCP)
- 16995 (Redirection/TLS)
KVM runs over the last two.
https://www.intel.com/content/www/us/en/privacy/intel-active-technology-vpro.html
AMT is disabled by default.
