1 guy looking at ilo 2 and 3 for 4 days and finding more than 5 bugs veysel Özer hardwear.io 2015
TRANSCRIPT
![Page 1: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/1.jpg)
1 guy looking at iLo 1 guy looking at iLo 2 and 2 and 3 for 3 for 4 days and finding more than 4 days and finding more than 5 bugs5 bugs
Veysel ÖzerVeysel Özer
hardwear.io 2015hardwear.io 2015
![Page 2: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/2.jpg)
AgendaAgenda
Who am IWho am I
How did it get startedHow did it get started
iLo what ?iLo what ?
unpackingunpacking
Bugs and funBugs and fun
![Page 3: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/3.jpg)
Who am IWho am I
IT security experience for over a decade from buffer overflows, format string bugs, ropfrom buffer overflows, format string bugs, rop over XSS , SQL Injections, meterpreter sessionsover XSS , SQL Injections, meterpreter sessions up to AV bypass, network voodoo and fun with up to AV bypass, network voodoo and fun with
mimikatzmimikatz
CarIT Hardware hacking for over 5 years from Uart, Jtag, Canfrom Uart, Jtag, Can over arm/v850/8051/xxx assemblerover arm/v850/8051/xxx assembler up to glitching, side channels and no fun with up to glitching, side channels and no fun with
Renesas Renesas
Had pleasure to speak at first nullcon ;)Had pleasure to speak at first nullcon ;)
![Page 4: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/4.jpg)
How did it get started?How did it get started?
A friend kept bugging me to take a look at iLo, A friend kept bugging me to take a look at iLo, cause he doesn’t like some HP guyscause he doesn’t like some HP guys
An afternoon another friend and me opened a An afternoon another friend and me opened a HP server, desoldered and read out a flash chip HP server, desoldered and read out a flash chip with iLo firmwarewith iLo firmware
No ultra critical bugs were found, No ultra critical bugs were found, but really funny onesbut really funny ones
![Page 5: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/5.jpg)
iLo what? iLo what?
Wikipedia :Wikipedia : „„iLOiLO, is a proprietary embedded server management technology by , is a proprietary embedded server management technology by
Hewlett-Packard which provides out-of-band management facilities. The Hewlett-Packard which provides out-of-band management facilities. The physical connection is an Ethernet port“physical connection is an Ethernet port“
„„iLO is either embedded on the system board, or available as a PCI iLO is either embedded on the system board, or available as a PCI card“card“
Features:Features:Reset the server (in case the server doesn't respond anymore via the normal network Reset the server (in case the server doesn't respond anymore via the normal network card) card)
Power-up the server (possible to do this from a remote location, even if the server is Power-up the server (possible to do this from a remote location, even if the server is shut down) shut down)
Remote console (in some cases however an 'Advanced license' may be required for Remote console (in some cases however an 'Advanced license' may be required for some of the utilities to work) some of the utilities to work)
Mount remote physical CD/DVD drive or imageMount remote physical CD/DVD drive or image
……
![Page 6: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/6.jpg)
iLo what? iLo what?
HP :HP : „„When reliability is essentialWhen reliability is essential for your system for your system
health, HP Integrated Lights-Out (iLO) provides the automated health, HP Integrated Lights-Out (iLO) provides the automated intelligence to maintain complete server control from any place. intelligence to maintain complete server control from any place. HP iLO functions out-of-the-box without additional software HP iLO functions out-of-the-box without additional software
installation regardless of the servers' state of operation installation regardless of the servers' state of operation giving giving you complete access to your serveryou complete access to your server from any from any
location via a web browser or the iLO Mobile App“location via a web browser or the iLO Mobile App“
![Page 7: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/7.jpg)
iLo what in the hoteliLo what in the hotel
![Page 8: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/8.jpg)
iLo what, much poweriLo what, much power
![Page 9: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/9.jpg)
unpackingunpacking
ilo2:ilo2: -extract exe and zlib-extract exe and zlib Ida v850Ida v850
ilo3:ilo3: „„binwalk –A ..bin“ -> Ida arm binwalk –A ..bin“ -> Ida arm
-> String „decrypt“ -> Arm Simulator-> String „decrypt“ -> Arm Simulator Do some simulation,patch some jumps and you get Do some simulation,patch some jumps and you get
a nice elf file for Greenhills Integrity (!a nice elf file for Greenhills Integrity (!systempassword)systempassword)
Quick demoQuick demo
![Page 10: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/10.jpg)
1. Bug1. Bug
Nmap with open web port,Nmap with open web port,what do you do?what do you do?
![Page 11: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/11.jpg)
1. Bug (fixed meanwhile)1. Bug (fixed meanwhile)
Try some credentialsTry some credentials
![Page 12: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/12.jpg)
1. Bug1. Bug
Bypass brute force protectionBypass brute force protection
![Page 13: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/13.jpg)
1. Bug1. Bug
Bypass brute force protection..Bypass brute force protection..valid credsvalid credsgives nicegives nicehttp errorhttp error
![Page 14: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/14.jpg)
2. Bug2. Bug
Ssh/Telnet possible to iLo CLI, Ssh/Telnet possible to iLo CLI, what do you do ?what do you do ?
![Page 15: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/15.jpg)
2. Bug – Buffer overflow2. Bug – Buffer overflow
![Page 16: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/16.jpg)
3. Bug3. Bug
Able to add/edit users, Able to add/edit users, what do you do again ?what do you do again ?
![Page 17: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/17.jpg)
3. Bug3. Bug
Off-by-one errorOff-by-one error
User Records normaly looks likeUser Records normaly looks like„„name‘’ 39bytes + „\x00“ + name‘’ 39bytes + „\x00“ + „login“ 39bytes + „\x00“ +„login“ 39bytes + „\x00“ +„password“ 39bytes + „\x00“„password“ 39bytes + „\x00“
But But memcpy(dst,src, 40) used for updateing memcpy(dst,src, 40) used for updateing strcpy for reading strcpy for reading
![Page 18: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/18.jpg)
3. Bug3. Bug
EvilAdmin modifies account of GoodAdminEvilAdmin modifies account of GoodAdmin
![Page 19: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/19.jpg)
3. Bug3. Bug
EvilAdmin, adds one charEvilAdmin, adds one char
![Page 20: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/20.jpg)
3. Bug3. Bug
EvilAdmin gets password of GoodAdminEvilAdmin gets password of GoodAdmin
![Page 21: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/21.jpg)
4. Bug4. Bug
Able to add/edit users, Able to add/edit users, what you also might do?what you also might do?
![Page 22: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/22.jpg)
4. Bug4. Bug
„„%x%x%x%x“%x%x%x%x“
![Page 23: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/23.jpg)
4. Bug4. Bug
Format string iLo2Format string iLo2straight in login to ssh/telnetstraight in login to ssh/telnet
Format string iLo3Format string iLo3show log in clishow log in cli
• … … yeah demo soonyeah demo soon
![Page 24: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/24.jpg)
5. Bug5. Bug
Able to add/edit users, Able to add/edit users, what i like to do ?what i like to do ?
![Page 25: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/25.jpg)
5. Bug5. Bug
Fun with non-printable values with iLo2Fun with non-printable values with iLo2
DEMODEMO
![Page 26: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/26.jpg)
5. Bug5. Bug
Fun with non-printable valuesFun with non-printable values
Bell: „\x07“Bell: „\x07“
Beep a lot : use also bug 4 ;)Beep a lot : use also bug 4 ;)
Invisible user: „\x01“ Invisible user: „\x01“
Terminal drawing „\x0a\x0d“ and moreTerminal drawing „\x0a\x0d“ and more
![Page 27: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/27.jpg)
6. Bug6. Bug
One unauthorized http request to kill the One unauthorized http request to kill the webserverwebserver
Try „…\u07“ as username to login ;)Try „…\u07“ as username to login ;)
Demo : so lets kill it…and finish the talkDemo : so lets kill it…and finish the talk
![Page 28: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/28.jpg)
And more bugsAnd more bugs
Possible to set a stored XSSPossible to set a stored XSS
Unauthorized functionalityUnauthorized functionalitycheck which urls require not a valid check which urls require not a valid sessionsession
Undocumented featuresUndocumented featurescheck CLI commands „handlers“check CLI commands „handlers“
![Page 29: 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7d1a28abf838c846c6/html5/thumbnails/29.jpg)
That‘s itThat‘s it
Questions ?Questions ?