HP iLO talk at Recon Brx 2018

Since we presented our vulnerability in HP Integrated Lights-Out (iLO) 4 to Recon Brussels, we are now releasing the slides and tools that were developed during our study.

The slides are available here.

The vulnerability we identified (CVE-2017-12542) has been patched by HP in iLO 4 versions 2.53 and 2.54. Again, we highly recommend applying the patch, as exploitation is pretty straightforward.

Demonstration video

In case you missed the talk, we also made the demonstration videos available. The first one contains a reusable authentication bypass exploit:

demo1.gif

Then, we show that we can execute code on the host, giving us cleartext credentials:

demo2.gif

Finally, we show that we can compromise the host operating system through DMA:

demo3.gif

Tooling

During the presentation, we presented several tools we made to dissect the firmware and load it into IDA, as well as an iLO network scanner. These tools have been made available on the following repository: https://github.com/airbus-seclab/ilo4_toolbox