[Beowulf] HPE iLO4 BMC authentication bypass
Chris Samuel
chris at csamuel.org
Thu Jun 21 03:31:56 PDT 2018
Hi all,
On the subject of BMCs, in case you've not seen this & run HPE gear.
https://twitter.com/marcan42/status/1008981518159511553
# HP iLO4 authentication bypass:
# curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
# No, that's not a crash PoC. That's a full blown auth bypass.
# sscanf into fixed buffer overwrites a flag field that bypasses auth.
# Yes, really.
The tweet links to this PDF about backdooring HP servers via this:
https://airbus-seclab.github.io/ilo/SSTIC2018-Slides-EN-Backdooring_your_server_through_its_BMC_the_HPE_iLO4_case-perigaud-gazet-czarny.pdf
Fortunately I think every system I've run so far has had the BMCs
on their own separate IP network.
All the best,
Chris
--
Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
More information about the Beowulf
mailing list