![]() When handling the Connection header, the sscanf() function is called with an insecure format string: The parsing is handled in a function reading each line one by one, and trying to identify and parse the various possible HTTP headers. When a new client connects to the web server, one of its 4 threads handles the connection and starts parsing the HTTP request. Heap buffer overflow in HTTP headers processing (CVE-2017-12542) A quick Shodan indicates that some iLO interfaces are even directly connected to the Internet.Īfter a few hours of reverse enginnering to understand the memory layout and the various embedded libraries, the webserv binary can be correctly loaded in IDA Pro and analyzed. The most interesting target to look at is the webserver, which is very often exposed to the LAN, even if HP recommends to connect the iLO administration interface to a dedicated administration network. Fortunately, the firmware is signed, but not encrypted, meaning that we can start looking for vulnerabilities without having to desolder the flash chip! It is usually distributed as a PE file containing a big binary file which is sent to the iLO. ILO firmware can be directly downloaded from HP website. Interestingly, the iLO runs even if the server is turned off, and is directly connected to the main PCI-express bus.Īll its features and its crucial position in the server hardware makes iLO a really juicy target from an attacker's point of view. On the software side, the operating system is the proprietary RTOS GreenHills Integrity. It has a dedicated flash chip to hold its firmware, a dedicated RAM chip and a dedicated network interface. Regarding the technical aspects, iLO 4 runs on a dedicated ARM micro-processor embedded in the server, and is totally independant from the main processor. All these interfaces represent a huge attack surface for a critical, embedded component. Such features include power management, remote system console, remote CD/DVD image mounting, as well as many monitoring indicators.Īll these features can be accessed using the IPMI protocol, but also through various interfaces such as SSH, HTTPS, SNMP, and XML / JSON APIs. ![]() It provides every feature required by a system administrator to remotely administer a server without having to reach it physically. ILO is the server management solution embedded in almost every HP server for more than 10 years. We plan to release the full details of our study in an upcoming conference, stay tuned! Introduction We thus decided to give some details so that HP iLO administrators could understand the impacts and protect their servers. Now that a security bulletin and a fixed firmware have been released by HP (4 months ago), there is a significant risk that the vulnerability has been found by people doing binary diffing between two versions of the firmware. ![]() This vulnerability has been found during a security study of HP iLO performed by Alexandre Gazet from Airbus and Fabien Perigaud. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |