Vulnerabilities > CVE-2017-12542 - Unspecified vulnerability in HP Integrated Lights-Out 4 Firmware
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
Vulnerable Configurations
Exploit-Db
| description | HPE iLO 4 < 2.53 - Add New Administrator User. CVE-2017-12542. Remote exploit for Multiple platform |
| file | exploits/multiple/remote/44005.py |
| id | EDB-ID:44005 |
| last seen | 2018-02-09 |
| modified | 2018-02-05 |
| platform | multiple |
| port | |
| published | 2018-02-05 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/44005/ |
| title | HPE iLO 4 < 2.53 - Add New Administrator User |
| type | remote |
Metasploit
| description | This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer overflow in the Connection HTTP header handling by the web server. Exploiting this vulnerability gives full access to the REST API, allowing arbitrary accounts creation. |
| id | MSF:AUXILIARY/ADMIN/HP/HP_ILO_CREATE_ADMIN_ACCOUNT |
| last seen | 2020-06-13 |
| modified | 2018-03-16 |
| published | 2018-02-09 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/hp/hp_ilo_create_admin_account.rb |
| title | HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation |
Nessus
NASL family CGI abuses NASL id ILO_HPESBHF_03769.NASL description A remote command execution vulnerability exists in Integrated Lights-Out 4 (iLO 4) due to a buffer overflow in the server last seen 2020-06-01 modified 2020-06-02 plugin id 122095 published 2019-02-11 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122095 title iLO 4 < 2.53 Remote Code Execution Vulnerability code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(122095); script_version("1.6"); script_cvs_date("Date: 2019/10/31 15:18:50"); script_cve_id("CVE-2017-12542"); script_name(english:"iLO 4 < 2.53 Remote Code Execution Vulnerability"); script_summary(english:"Checks version of HP Integrated Lights-Out (iLO)."); script_set_attribute(attribute:"synopsis", value: "The remote HP Integrated Lights-Out (iLO) server's web interface is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "A remote command execution vulnerability exists in Integrated Lights-Out 4 (iLO 4) due to a buffer overflow in the server's http connection handling code. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands."); # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_us script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fd1b001e"); script_set_attribute(attribute:"solution", value: "Upgrade firmware of HP Integrated Lights-Out 4 (iLO 4) to 2.53, or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-12542"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/24"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:integrated_lights-out_firmware"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ilo_detect.nasl"); script_require_keys("www/ilo", "ilo/generation", "ilo/firmware"); script_require_ports("Services/www", 80); exit(0); } include('http.inc'); include('vcf.inc'); include('vcf_extras.inc'); port = get_http_port(default:80, embedded: TRUE); app_info = vcf::get_app_info(app:'ilo', port:port, webapp:TRUE); constraints = [{'generation': '4', 'fixed_version':'2.53'}]; vcf::ilo::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);NASL family CGI abuses NASL id ILO_AUTH_BYPASS.NASL description According to its version number, the remote HP Integrated Lights-Out 4 (iLO 4) server is affected by multiple unspecified flaws that allow a remote attacker to bypass authentication and execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 102803 published 2017-08-28 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/102803 title HP iLO 4 <= 2.52 RCE code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(102803); script_version("1.5"); script_cvs_date("Date: 2018/11/15 20:50:17"); script_cve_id("CVE-2017-12542"); script_bugtraq_id(100467); script_name(english:"HP iLO 4 <= 2.52 RCE"); script_summary(english:"Checks version of HP Integrated Lights-Out 4 (iLO 4)"); script_set_attribute(attribute:"synopsis", value: "The remote HP Integrated Lights-Out 4 (iLO 4) server is vulnerable to multiple unspecified flaws that allow a remote attacker to bypass authentication and execute code."); script_set_attribute(attribute:"description", value: "According to its version number, the remote HP Integrated Lights-Out 4 (iLO 4) server is affected by multiple unspecified flaws that allow a remote attacker to bypass authentication and execute arbitrary code."); # https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a40b909a"); script_set_attribute(attribute:"solution", value:"Upgrade to HP Integrated Lights-Out 4 (iLO 4) firmware version 2.53."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/25"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/28"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_dependencies("ilo_detect.nasl"); script_require_keys("www/ilo", "ilo/generation", "ilo/firmware"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("http.inc"); include("misc_func.inc"); include("webapp_func.inc"); # Each generation has its own series of firmware version numbers. generation = get_kb_item_or_exit("ilo/generation"); # The version is tied to the firmware and not specific to the web interface. version = get_kb_item_or_exit("ilo/firmware"); port = get_http_port(default:80, embedded:TRUE); install = get_install_from_kb( appname : "ilo", port : port, exit_on_fail : TRUE ); install_url = build_url(port:port, qs:install["dir"]); # Firmware is unique to the generation of iLO. if (generation != 4) audit(AUDIT_WEB_APP_NOT_AFFECTED, "iLO " + generation, install_url, version); cutoff_version = "2.52"; if (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0) { report = '\n URL : ' + install_url + '\n Generation : ' + generation + '\n Firmware version : ' + version + '\n Fixed version : 2.53' + '\n'; security_report_v4(port:port, severity:SECURITY_HOLE, extra:report); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, "iLO " + generation, install_url, version);
Packetstorm
| data source | https://packetstormsecurity.com/files/download/146303/hpeilo4-adduser.txt |
| id | PACKETSTORM:146303 |
| last seen | 2018-02-09 |
| published | 2018-02-08 |
| reporter | skelsec |
| source | https://packetstormsecurity.com/files/146303/HPE-iLO4-Add-New-Administrator-User.html |
| title | HPE iLO4 Add New Administrator User |
Seebug
| bulletinFamily | exploit |
| description | Subverting your server through its BMC: the HPE iLO4 case ========================================================= Introduction ------------ ``iLO`` is the server management solution embedded in almost every ``HP`` servers for more than 10 years. It provides every feature required by a system administrator to remotely manage a server without having to reach it physically. Such features include power management, remote system console, remote CD/DVD image mounting, as well as many monitoring indicators. We've performed a deep dive security study of ``HP iLO4`` (known to be used on the family of servers ``HP ProLiant Gen8`` and ``ProLiant Gen9`` servers) and the results of this study were presented at the **REcon** conference held in Brussels (February 2 - 4, 2018, see [1]_). ``iLO4`` runs on a dedicated ``ARM`` processor embedded in the server, and is totally independent from the main processor. It has a dedicated flash chip to hold its firmware, a dedicated RAM chip and a dedicated network interface. On the software side, the operating system is the proprietary RTOS GreenHills Integrity [2]. Results ------- One critical vulnerability was identified and reported to the ``HP PSIRT`` in February 2017, known as ``CVE-2017-12542`` (``CVSSv3`` 9.8 [3]_) : * Authentication bypass and remote code execution * Fixed in ``iLO4`` versions ``2.53`` (released in May 2017, buggy) and ``2.54`` [4]_ Slides and demos ---------------- The slides from our **REcon** talk are available here. They cover the following points: * Firmware unpacking and memory space understanding * GreenHills OS Integrity internals: * kernel object model * virtual memory * process isolation * Review of exposed attack surface: ``www``, ``ssh``, *etc.* * Vulnerability discovery and exploitation * Demonstration of a new exploitation technique that allows to compromise the host server operating system through DMA. To illustrate them, we also release the three demos as videos. The first one demonstrates the use of the vulnerability we discovered to bypass the authentication from the RedFish API:  In the second one we show how the vulnerability can also be turned into an arbitrary remote code execution (``RCE``) in the process of the web server; allowing read access to the ``iLO`` file-system for example.  Finally, in the third videos, we leverage this ``RCE`` to exploit an ``iLO4`` feature which allows us to access (``RW``) to the host memory and inject a payload in the host Linux kernel.  Tooling ------- To support our research we've developed scripts and tools to help us automatize some tasks, especially firmware unpacking and mapping. Firmware ******** ``ilo4_extract.py`` script takes an ``HP Signed file`` as input (obtained from the update package). It is invoked with: ``` >python ilo4_extract.py ilo4_244.bin extract ``` Extract from the output log: ``` [+] iLO Header 0: iLO4 v 2.44.7 19-Jul-2016 > magic : iLO4 > build_version : v 2.44.7 19-Jul-2016 > type : 0x08 > compression_type : 0x1000 > field_24 : 0xaf8 > field_28 : 0x105f57 > decompressed_size : 0x16802e0 > raw_size : 0xd0ead3 > load_address : 0xffffffff > field_38 : 0x0 > field_3C : 0xffffffff > signature ``` From the extracted file, ``ilo0.bin`` is the ``Integrity`` applicative image (userland). It contains all the tasks that will run on the ``iLO`` system. To parse each of these tasks and generate the ``IDA Pro`` loading script, one can use the script ``dissection.rb``. It relies upon the ``Metasm`` framework [5] and also requires the ``Bindata`` library [6]. ``` >ruby dissection.rb ilo0.bin ``` Back to the kernel image, ``ilo4_extract.py`` told us that: ``` [+] iLO Header 1: iLO4 v 0.8.36 16-Nov-2015 > magic : iLO4 > build_version : v 0.8.36 16-Nov-2015 > type : 0x02 > compression_type : 0x1000 > field_24 : 0x9fd > field_28 : 0x100344 > decompressed_size : 0xc0438 > raw_size : 0x75dad > load_address : 0x20001000 > field_38 : 0x0 > field_3C : 0xffffffff ``` Using ``IDA Pro`` to load the extracted file ``ilo1.bin`` at ``0x20001000`` as ``ARM`` code, one can also study the ``Integrity`` kernel. * ``secinfo4.py`` parses the section information embedded into the kernel image and creates the appropriate memory segment in the disassembler * ``parse_mr.py`` dumps the registered ``Memory Region`` objects ``iLO5`` format differs slightly, however the same ``dissection.rb`` script can be used to extract the ``Integrity`` applicative image. Network ******* Finally, to help people scan for existing vulnerable ``iLO`` systems exposed in their own infrastructures, we release a simple ``Go`` scanner. It attempts to fetch a special ``iLO`` page: ``/xmldata?item=ALL``; if it exists, then it extracts the firmware version and HP server type. First edit the "``targets``" variable in the code and specify the internal ``IP`` ranges you want to scan. ``` var ( targets = []string{ "10.0.0.0/8", "192.168.66.0/23", "172.16.133.0/24"} ) ``` Then compile the code for your OS/architecture. ``` > env GOOS=target-OS GOARCH=target-architecture go build iloscan.go ``` For example: ``` > env GOOS=openbsd GOARCH=amd64 go build iloscan.go > ./iloscan ``` Then look the result in ``/tmp/iloscan.log`` (can be changed in the source): ``` > less /tmp/iloscan.log 192.168.66.69{{ RIMP} [{{ HSI} ProLiant DL380 G7}] [{{ MP} 1.80 ILOCZ2069K2S4 ILO583970CZ2069K2S4}]} ``` Authors ------- * Fabien PERIGAUD - ``fabien [dot] perigaud [at] synacktiv [dot] com`` - ``@0xf4b`` * Alexandre GAZET - ``alexandre [dot] gazet [at] airbus [dot] com`` * Joffrey CZARNY - ``snorky [at] insomnihack [dot] net`` - ``@\_Sn0rkY`` License ------- The scripts and scanner are released under the [GPLv2]. References ---------- * [1] https://recon.cx/2018/brussels/talks/subvert_server_bmc.html * [2] https://www.ghs.com/products/rtos/integrity.html * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12542 * [4] http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us * [5] https://github.com/jjyg/metasm * [6] https://github.com/dmendel/bindata * [GPLv2] https://github.com/airbus-seclab/ilo4_toolbox/blob/master/COPYING * here: https://github.com/airbus-seclab/airbus-seclab.github.io/blob/master/ilo/RECONBRX2018-Slides-Subverting_your_server_through_its_BMC_the_HPE_iLO4_case-perigaud-gazet-czarny.pdf |
| id | SSV:97126 |
| last seen | 2018-06-26 |
| modified | 2018-02-06 |
| published | 2018-02-06 |
| reporter | Knownsec |
| source | https://www.seebug.org/vuldb/ssvid-97126 |
| title | HPE Integrated Lights-Out 4 Remote Code Execution Vulnerability(CVE-2017-12542) |