Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015.

Published byBernice Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015."— Presentation transcript:

1 1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015

2 Agenda Who am I How did it get started iLo what ? unpacking Bugs and fun

3 Who am I IT security experience for over a decade from buffer overflows, format string bugs, rop from buffer overflows, format string bugs, rop over XSS, SQL Injections, meterpreter sessions over XSS, SQL Injections, meterpreter sessions up to AV bypass, network voodoo and fun with mimikatz up to AV bypass, network voodoo and fun with mimikatz CarIT Hardware hacking for over 5 years from Uart, Jtag, Can from Uart, Jtag, Can over arm/v850/8051/xxx assembler over arm/v850/8051/xxx assembler up to glitching, side channels and no fun with Renesas up to glitching, side channels and no fun with Renesas Had pleasure to speak at first nullcon ;)

4 How did it get started? A friend kept bugging me to take a look at iLo, cause he doesn’t like some HP guys An afternoon another friend and me opened a HP server, desoldered and read out a flash chip with iLo firmware No ultra critical bugs were found, but really funny ones

5 iLo what? Wikipedia : „iLO, is a proprietary embedded server management technology by Hewlett-Packard which provides out-of-band management facilities. The physical connection is an Ethernet port“ „iLO, is a proprietary embedded server management technology by Hewlett-Packard which provides out-of-band management facilities. The physical connection is an Ethernet port“ „iLO is either embedded on the system board, or available as a PCI card“ „iLO is either embedded on the system board, or available as a PCI card“ Features: Features: Reset the server (in case the server doesn't respond anymore via the normal network card) Power-up the server (possible to do this from a remote location, even if the server is shut down) Remote console (in some cases however an 'Advanced license' may be required for some of the utilities to work) Mount remote physical CD/DVD drive or image …

6 iLo what? HP : „ When reliability is essential for your system health, HP Integrated Lights-Out (iLO) provides the automated intelligence to maintain complete server control from any place. HP iLO functions out-of-the-box without additional software installation regardless of the servers' state of operation giving you complete access to your server from any location via a web browser or the iLO Mobile App“ „ When reliability is essential for your system health, HP Integrated Lights-Out (iLO) provides the automated intelligence to maintain complete server control from any place. HP iLO functions out-of-the-box without additional software installation regardless of the servers' state of operation giving you complete access to your server from any location via a web browser or the iLO Mobile App“

7 iLo what in the hotel

8 iLo what, much power

9 unpacking ilo2: -extract exe and zlib -extract exe and zlib Ida v850 Ida v850ilo3: „binwalk –A..bin“ -> Ida arm -> String „decrypt“ -> Arm Simulator „binwalk –A..bin“ -> Ida arm -> String „decrypt“ -> Arm Simulator Do some simulation,patch some jumps and you get a nice elf file for Greenhills Integrity (!systempassword) Do some simulation,patch some jumps and you get a nice elf file for Greenhills Integrity (!systempassword) Quick demo

10 1. Bug Nmap with open web port, what do you do?

11 1. Bug (fixed meanwhile) Try some credentials

12 1. Bug Bypass brute force protection

13 1. Bug Bypass brute force protection.. valid creds gives nice http error Bypass brute force protection.. valid creds gives nice http error

14 2. Bug Ssh/Telnet possible to iLo CLI, what do you do ?

15 2. Bug – Buffer overflow

16 3. Bug Able to add/edit users, what do you do again ?

17 3. Bug Off-by-one error User Records normaly looks like „name‘’ 39bytes + „\x00“ + „login“ 39bytes + „\x00“ + „password“ 39bytes + „\x00“ But memcpy(dst,src, 40) used for updateing strcpy for reading

18 3. Bug EvilAdmin modifies account of GoodAdmin

19 3. Bug EvilAdmin, adds one char

20 3. Bug EvilAdmin gets password of GoodAdmin

21 4. Bug Able to add/edit users, what you also might do?

22 4. Bug „%x%x%x%x“

23 Format string iLo2 straight in login to ssh/telnet Format string iLo3 show log in cli … yeah demo soon… yeah demo soon

24 5. Bug Able to add/edit users, what i like to do ?

25 5. Bug Fun with non-printable values with iLo2 DEMO

26 5. Bug Fun with non-printable values Bell: „\x07“ Beep a lot : use also bug 4 ;) Invisible user: „\x01“ Terminal drawing „\x0a\x0d“ and more

27 6. Bug One unauthorized http request to kill the webserver Try „…\u07“ as username to login ;) Demo : so lets kill it…and finish the talk

28 And more bugs Possible to set a stored XSS Unauthorized functionality check which urls require not a valid session Undocumented features check CLI commands „handlers“

29 That‘s it Questions ?

Download ppt "1 guy looking at iLo 2 and 3 for 4 days and finding more than 5 bugs Veysel Özer hardwear.io 2015."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Client-server practices DSC340 Mike Pangburn. Agenda Overview of client-server development Editing on client (e.g., Notepad) or directly on server (e.g.,

Client-server practices DSC340 Mike Pangburn. Agenda Overview of client-server development Editing on client (e.g., Notepad) or directly on server (e.g.,
October 20-24. Dyalog File Server Version 2.0 Morten Kromberg CTO, Dyalog LTD Dyalog’13.

October Dyalog File Server Version 2.0 Morten Kromberg CTO, Dyalog LTD Dyalog’13.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 10 Server Administration1 Ch. 10 – Server Administration MIS 431 – created Spring 2006.

Chapter 10 Server Administration1 Ch. 10 – Server Administration MIS 431 – created Spring 2006.
TRIRIGA Anywhere 10.4 Beta Registration Steps

TRIRIGA Anywhere 10.4 Beta Registration Steps
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
1 Kyung Hee University Prof. Choong Seon HONG Network Control.

1 Kyung Hee University Prof. Choong Seon HONG Network Control.
CSC 386 – Computer Security Scott Heggen. Agenda Introduction to Software Security.

CSC 386 – Computer Security Scott Heggen. Agenda Introduction to Software Security.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Similar presentations

Ads by Google