1 guy looking at iLo 1 guy looking at iLo 2 and 2 and 3 for 3 for 4 days and finding more than 4 days and finding more than 5 bugs5 bugs

Veysel ÖzerVeysel Özer

hardwear.io 2015hardwear.io 2015

AgendaAgenda

Who am IWho am I

How did it get startedHow did it get started

iLo what ?iLo what ?

unpackingunpacking

Bugs and funBugs and fun

Who am IWho am I

IT security experience for over a decade from buffer overflows, format string bugs, ropfrom buffer overflows, format string bugs, rop over XSS , SQL Injections, meterpreter sessionsover XSS , SQL Injections, meterpreter sessions up to AV bypass, network voodoo and fun with up to AV bypass, network voodoo and fun with

mimikatzmimikatz

CarIT Hardware hacking for over 5 years from Uart, Jtag, Canfrom Uart, Jtag, Can over arm/v850/8051/xxx assemblerover arm/v850/8051/xxx assembler up to glitching, side channels and no fun with up to glitching, side channels and no fun with

Renesas Renesas

Had pleasure to speak at first nullcon ;)Had pleasure to speak at first nullcon ;)

How did it get started?How did it get started?

A friend kept bugging me to take a look at iLo, A friend kept bugging me to take a look at iLo, cause he doesn’t like some HP guyscause he doesn’t like some HP guys

An afternoon another friend and me opened a An afternoon another friend and me opened a HP server, desoldered and read out a flash chip HP server, desoldered and read out a flash chip with iLo firmwarewith iLo firmware

No ultra critical bugs were found, No ultra critical bugs were found, but really funny onesbut really funny ones

iLo what? iLo what?

Wikipedia :Wikipedia : „„iLOiLO, is a proprietary embedded server management technology by , is a proprietary embedded server management technology by

Hewlett-Packard which provides out-of-band management facilities. The Hewlett-Packard which provides out-of-band management facilities. The physical connection is an Ethernet port“physical connection is an Ethernet port“

„„iLO is either embedded on the system board, or available as a PCI iLO is either embedded on the system board, or available as a PCI card“card“

Features:Features:Reset the server (in case the server doesn't respond anymore via the normal network Reset the server (in case the server doesn't respond anymore via the normal network card) card)

Power-up the server (possible to do this from a remote location, even if the server is Power-up the server (possible to do this from a remote location, even if the server is shut down) shut down)

Remote console (in some cases however an 'Advanced license' may be required for Remote console (in some cases however an 'Advanced license' may be required for some of the utilities to work) some of the utilities to work)

Mount remote physical CD/DVD drive or imageMount remote physical CD/DVD drive or image

……

iLo what? iLo what?

HP :HP : „„When reliability is essentialWhen reliability is essential for your system for your system

health, HP Integrated Lights-Out (iLO) provides the automated health, HP Integrated Lights-Out (iLO) provides the automated intelligence to maintain complete server control from any place. intelligence to maintain complete server control from any place. HP iLO functions out-of-the-box without additional software HP iLO functions out-of-the-box without additional software

installation regardless of the servers' state of operation installation regardless of the servers' state of operation giving giving you complete access to your serveryou complete access to your server from any from any

location via a web browser or the iLO Mobile App“location via a web browser or the iLO Mobile App“

iLo what in the hoteliLo what in the hotel

iLo what, much poweriLo what, much power

unpackingunpacking

ilo2:ilo2: -extract exe and zlib-extract exe and zlib Ida v850Ida v850

ilo3:ilo3: „„binwalk –A ..bin“ -> Ida arm binwalk –A ..bin“ -> Ida arm

-> String „decrypt“ -> Arm Simulator-> String „decrypt“ -> Arm Simulator Do some simulation,patch some jumps and you get Do some simulation,patch some jumps and you get

a nice elf file for Greenhills Integrity (!a nice elf file for Greenhills Integrity (!systempassword)systempassword)

Quick demoQuick demo

1. Bug1. Bug

Nmap with open web port,Nmap with open web port,what do you do?what do you do?

1. Bug (fixed meanwhile)1. Bug (fixed meanwhile)

Try some credentialsTry some credentials

1. Bug1. Bug

Bypass brute force protectionBypass brute force protection

1. Bug1. Bug

Bypass brute force protection..Bypass brute force protection..valid credsvalid credsgives nicegives nicehttp errorhttp error

2. Bug2. Bug

Ssh/Telnet possible to iLo CLI, Ssh/Telnet possible to iLo CLI, what do you do ?what do you do ?

2. Bug – Buffer overflow2. Bug – Buffer overflow

3. Bug3. Bug

Able to add/edit users, Able to add/edit users, what do you do again ?what do you do again ?

3. Bug3. Bug

Off-by-one errorOff-by-one error

User Records normaly looks likeUser Records normaly looks like„„name‘’ 39bytes + „\x00“ + name‘’ 39bytes + „\x00“ + „login“ 39bytes + „\x00“ +„login“ 39bytes + „\x00“ +„password“ 39bytes + „\x00“„password“ 39bytes + „\x00“

But But memcpy(dst,src, 40) used for updateing memcpy(dst,src, 40) used for updateing strcpy for reading strcpy for reading

3. Bug3. Bug

EvilAdmin modifies account of GoodAdminEvilAdmin modifies account of GoodAdmin

3. Bug3. Bug

EvilAdmin, adds one charEvilAdmin, adds one char

3. Bug3. Bug

EvilAdmin gets password of GoodAdminEvilAdmin gets password of GoodAdmin

4. Bug4. Bug

Able to add/edit users, Able to add/edit users, what you also might do?what you also might do?

4. Bug4. Bug

„„%x%x%x%x“%x%x%x%x“

4. Bug4. Bug

Format string iLo2Format string iLo2straight in login to ssh/telnetstraight in login to ssh/telnet

Format string iLo3Format string iLo3show log in clishow log in cli

• … … yeah demo soonyeah demo soon

5. Bug5. Bug

Able to add/edit users, Able to add/edit users, what i like to do ?what i like to do ?

5. Bug5. Bug

Fun with non-printable values with iLo2Fun with non-printable values with iLo2

DEMODEMO

5. Bug5. Bug

Fun with non-printable valuesFun with non-printable values

Bell: „\x07“Bell: „\x07“

Beep a lot : use also bug 4 ;)Beep a lot : use also bug 4 ;)

Invisible user: „\x01“ Invisible user: „\x01“

Terminal drawing „\x0a\x0d“ and moreTerminal drawing „\x0a\x0d“ and more

6. Bug6. Bug

One unauthorized http request to kill the One unauthorized http request to kill the webserverwebserver

Try „…\u07“ as username to login ;)Try „…\u07“ as username to login ;)

Demo : so lets kill it…and finish the talkDemo : so lets kill it…and finish the talk

And more bugsAnd more bugs

Possible to set a stored XSSPossible to set a stored XSS

Unauthorized functionalityUnauthorized functionalitycheck which urls require not a valid check which urls require not a valid sessionsession

Undocumented featuresUndocumented featurescheck CLI commands „handlers“check CLI commands „handlers“

That‘s itThat‘s it

Questions ?Questions ?