[Beowulf] HPE iLO4 BMC authentication bypass

Thu Jun 21 05:35:02 PDT 2018

Oh, I just love that hacker with the black mask on hunched over the laptop
(page 6).
That's a fail straight away. As soon as you see someone on your campus with
a black mask on you know he/she is up to no good.

Regarding separate physical IPMI networks I have seen it done both ways.
One site I worked with had a completely separate IPMI infrastructure.
Including the IPMI access and control servers
sited in a different room from the main server room. For the very good
reason of still being able to do shutdowns if the whole rest of the
shooting match
was boiling itself to death etc. etc. Worth thinking about.

On 21 June 2018 at 12:31, Chris Samuel <chris at csamuel.org> wrote:

> Hi all,
>
> On the subject of BMCs, in case you've not seen this & run HPE gear.
>
> https://twitter.com/marcan42/status/1008981518159511553
>
> # HP iLO4 authentication bypass:
> # curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
> # No, that's not a crash PoC. That's a full blown auth bypass.
> # sscanf into fixed buffer overwrites a flag field that bypasses auth.
> # Yes, really.
>
> The tweet links to this PDF about backdooring HP servers via this:
>
> https://airbus-seclab.github.io/ilo/SSTIC2018-Slides-EN-
> Backdooring_your_server_through_its_BMC_the_HPE_iLO4_
> case-perigaud-gazet-czarny.pdf
>
> Fortunately I think every system I've run so far has had the BMCs
> on their own separate IP network.
>
> All the best,
> Chris
> --
>  Chris Samuel  :  http://www.csamuel.org/  :  Melbourne, VIC
>
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit
> http://www.beowulf.org/mailman/listinfo/beowulf
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.beowulf.org/pipermail/beowulf/attachments/20180621/7fa8bf02/attachment.html>