Curl request with 29 As and it’s lights out for iLO 4
The script kiddie-friendly attack route dumbs down exploitation of a severe vulnerability dating from last year which stemmed from coding flaws in HPE’s Integrated Lights-Out 4 (iLO 4), a tool for remotely managing corporate servers.
HPE quietly fixed the vuln and other less severe flaws through patches released last August. Users were told iLO 4 versions prior to 2.53 were vulnerable but HPE held back on exact details. The batch contained an unspecified vulnerability that might lead to authentication bypass or remote code execution.
The most serious hole was referenced in a detailed takedown (28-page PDF) of HPE’s iLO server management software from security researchers at Synacktiv and Airbus in spring.
The flaw in the web server component of the server management tech opens up a mechanism for hackers to access HPE iLO consoles. Access might be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware.
Worse yet, the vulnerability – which lends itself to remote execution – can be trivially easy to exploit. Early exploits geared towards adding a new user made available back in February take multiple lines of code but the latest rev is a one-line doozy.
All that is required is a curl request and 29 “A” characters:
curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
This ease of exploitation has earned the CVE-2017-12542 vulnerability a severity rating of 9.8 out of 10.
Proof-of-concept exploits and more are available via a 43-slide presentation delivered by the security researchers at the SSTIC security con at Rennes, France, in June. Actual exploit code is now out there, so get patching. ®