![]() >ruby dissection.rb ilo0.binīack to the kernel image, ilo4_extract.py told us that: It relies upon the Metasm framework and also requires the Bindata library. To parse each of these tasks and generate the IDA Pro loading script, one can use the script dissection.rb. ![]() It contains all the tasks that will run on the iLO system. ![]() It is invoked with: >python ilo4_extract.py ilo4_244.bin extractįrom the extracted file, ilo0.bin is the Integrity applicative image (userland). Ilo4_extract.py script takes an HP Signed file as input (obtained from the update package). To support our research we’ve developed scripts and tools to help us automatize some tasks, especially firmware unpacking and mapping. In the second one we show how the vulnerability can also be turned into an arbitrary remote code execution ( RCE) in the process of the web server allowing read access to the iLO file-system for example.įinally, in the third videos, we leverage this RCE to exploit an iLO4 feature which allows us to access ( RW) to the host memory and inject a payload in the host Linux kernel. The first one demonstrates the use of the vulnerability we discovered to bypass the authentication from the RedFish API: Review of exposed attack surface: To illustrate them, we also release the three demos as videos. They cover the following points:įirmware unpacking and memory space understanding The slides from our REcon talk are available here. Fixed in iLO4 versions 2.53 (released in May 2017, buggy) and 2.54 _.Authentication bypass and remote code execution.One critical vulnerability was identified and reported to the HP PSIRT in February 2017, known as CVE-2017-12542 ( CVSSv3 9.8 _) : On the software side, the operating system is the proprietary RTOS GreenHills Integrity. It has a dedicated flash chip to hold its firmware, a dedicated RAM chip and a dedicated network ILO4 runs on a dedicated ARM processor embedded in the server, and is totally independent from the main processor. We’ve performed a deep dive security study of HP iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9 servers) and the results of this study were presented at the REcon conference held in Brussels (February 2 - 4, 2018, see _). Such features include power management, remote system console, remote CD/DVD image mounting, as well as many monitoring indicators. It provides every feature required by a system administrator to remotely manage a server without having to reach it ILO is the server management solution embedded in almost every HP servers for more than 10 years. Subverting your server through its BMC: the HPE iLO4 case Introduction
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |