Remote Command Execution in Proliant iLO Intelligent Provisioning

Remote Command Execution in Proliant iLO Intelligent Provisioning: iLO is an embedded operating system available within HP Proliant and Integrity servers. IP is a feature within iLO that provides local and remote access for provisioning purposes. It was discovered that hidden requests were being made to server during a normal client session. Exploring this obfuscated functionality revealed the ability to execute arbitrary commands as root on the system.

Vulnerable Versions

Integrated Lights-Out 4 (latest firmware v2.00) with Intelligence Provisioning v1.60

Analysis

Administrators can use the Remote Console from the iLO web interface to initiate Intelligent Provisioning. Working in this mode is common for new deployments as it provides many facilities for configuration, diagnostics and most importantly system updates. There are Apache webservers listening on both ports 80 and 2381. There is also an Nginx server listening on port 5008. There is no authentication to access the content at any of these portals; the system replies upon obfuscation techniques to mask implementation from the frontend. For example, if you remotely hit /hpdiags/frontend2/startup.php on port 2381, you can access the server’s diagnostic page. Or /confirmerase.htm on port 5008, you can erase “All Hard Drives”, RBSU and logs. /locfg.htm allows you to change the Administrator password.