CVE-2017-12542 – HP iLO 4 Authentication Bypass

An authentication bypass and execution of code vulnerability exits within all of HPE’s Integrated Lights-out 4 (iLO 4)  controllers prior to version 2.54.  This is triggered by a buffer overflow in how the web server handles the Connection HTTP header.  Unrestricted access to the REST API is possible allowing for administrative account creation.  With unrestricted access to the iLO components, an attacker could power off a server remotely, trigger virtual media, or alter the underlying operating system.  It is advised that administrators patch all iLO 4 devices immediately. HP has published a security bulletin describing this critical issue.

With that said, it amazes me by how many iLO servers are publicly accessible over the Internet!  A simple search over at reveals thousands of exploitable devices, many of which are still running firmware less than version 2.00.  It is only safe to assume that these devices have already been compromised, especially those owned by government entities.  How many compromised devices existed prior to where an attacker inserted their own credentials and then patched the server locking other attackers out making it look safe?

Rapid 7 has released Metasploit code (available on GitHub) on how to exploit the vulnerability.  It is also possible to exploit using a cURL command.  Now, I must give my disclaimer that you should never do this on any production server and never do this on a server that is not under your direct ownership.  Let’s be ethical here.  With that said we’ll trigger the exploit as a proof of concept.

Using your favorite penetration testing platform, mine is Kali Linux, fire up an instance of Metasploit by launching msfconsole.  Enter the following commands into the console setting the username, password, and server’s IP address.  If you choose to not set the username and password, they will be dynamically generated.  The show options command will show you what these are set to.

msf > use auxiliary/admin/hp/hp_ilo_create_admin_account 
msf auxiliary(hp_ilo_create_admin_account) > set USERNAME jdoe 
msf auxiliary(hp_ilo_create_admin_account) > set PASSWORD Password1234 
msf auxiliary(hp_ilo_create_admin_account) > set RHOST
msf auxiliary(hp_ilo_create_admin_account) > show options 
msf auxiliary(hp_ilo_create_admin_account) > run

Upon exposing the vulnerability you will see the status in the Metasploit window if the exploit was successful

Navigate to your iLO instance and login with your new admin account.  You will see that the new user has been successfully created and has administrator rights.  As a result, you now have full control within the iLO environment.  For fun, configure the virtual media (outside the scope of this post) and boot into a Linux live CD and see if you can inject files into the Windows operating system.

Leave a Reply

Your email address will not be published. Required fields are marked *