- Hp ilo 4 firmware bin update#
- Hp ilo 4 firmware bin archive#
- Hp ilo 4 firmware bin software#
- Hp ilo 4 firmware bin code#
If it does not, well, refer to our ZeroNights talk and get your hands dirty: you will have to reflash the chip by hardware means! iLO PCILeech service If anything went wrong, the kernel should open a recovery FTP server. The resulting firmware can then be flashed by exploiting the web server vulnerability: $ python exploit_write_flash.py 192.168.42.78 250 /tmp/ilo4_Īfter the flash, iLO needs to be restarted to boot on its new firmware. This can take a few minutes given the very low speed of the compression/decompression algorithms implemented in Python :) iLO bootloader header : iLO4 v 2.50.67 2
Hp ilo 4 firmware bin code#
The new GET handler code is in the GET_handler.S file, and can be inserted as follows: $. Be aware that using this code can brick your iLO, and even the whole server! We recently added the exploit code which effectively writes this backdoored firmware on the flash chip through the use of the CVE-2017-12542 web server vulnerability. Writing a faster implant in the firmware is left as an exercise to the reader :)Īll the tooling to insert the "backdoor" in an iLO4 2.50 firmware has been released after our SSTIC presention on the ilo4_toolbox repository. There are some drawbacks in using this firmware, as the HTTP communication adds a time overhead and restricts the size of data which can be sent in a single request, but it is sufficient for this proof-of-concept. iLO modified firmwareĪs a proof-of-concept, we will re-use the backdoored firmware we crafted as a demonstration of our SSTIC presentation.Īs a reminder, this firmware exposes a new endpoint in the web server task, providing read and write memory primitives through GET HTTP requests. The modified version has been put online on our repository. This is all we need for a working PCILeech device. RAWTCP_PROTO_PACKET, *PRAWTCP_PROTO_PACKET Add references to this new device in pcileech.Create a new pair of source and header files implementing open, read, write and close primitives.
Hp ilo 4 firmware bin software#
PCILeech is a tool using either hardware or software memory acquisition devices to perform various actions on a target's physical memory, including inserting kernel modules and unlocking sessions.Īdding a new device is quite straightforward: It seems this feature would be interesting, so this blogpost aims at describing a proof-of-concept of a link between PCILeech and HPE iLO4 using a modified firmware. Indeed, Nicolas Iooss told us he successfully managed to use this tool for the exploitation of yet-another HPE iLO vulnerability. In this latest presentation, we told the audience that the memory R/W primitive we got through the vulnerability allows us to perform in-memory attacks just as PCILeech tool does.
ZeroNights: Turning your BMC into a revolving door: this final part is centered on the attack surface from the host operating system, and explains in details the exploitation of two new vulnerabilities used to flash a backdoored firmware from the host and bypass iLO5 secure boot feature.SSTIC: Backdooring your server through its BMC: the HPE iLO4 case: this second part focuses on gaining persistence on iLO4 by using the previous vulnerability to write a backdoored firmware.Recon BRX: Subverting your server through its BMC: the HPE iLO4 case: this part covers iLO firmware and OS internals, a critical vulnerability in the web server, and the demonstration of the ability to reach the main host memory.This study has been presented in 3 different parts:
While Immunity presented critical vulnerabilities on both HPE iLO 2 and Dell iDRAC, we (Alexandre Gazet from Airbus, Joffrey Czarny from Medallia, and myself) focused on HPE iLO latest versions, namely iLO4 and iLO5. We’ll refresh the page, you may have to clear your browser’s cache and we can enter the updated iLO.2018 has been a really tough year for BMCs! Although their attack surface was not something new (IPMI has been studied by Dan Farmer back in 2013, followed by a state-of-the-art blogpost by HD Moore), recent studies have shed light on how powerful these devices are in the servers, being able to directly access the main host memory, and how poor their code quality and software mitigations were.
Hp ilo 4 firmware bin update#
We will unpack the downloaded archive, it should contain the firmware file with the extension *.bin, this is exactly the firmware.Ĭonnect the cable to the iLO port, open the iLO web interface in Internet Explorer or Edge, enter the username and password (they are usually written on a sticker on the front panel of the server), open the “ Administration ” tab on the left, select “ iLO Firmware “, click “ Browse …” and point to the firmware file, click “ Upload” and wait for the update process to complete.Īfter a successful update, iLO will automatically restart, it will not affect the server, it will work continuously.
Hp ilo 4 firmware bin archive#
I also saved for you iLO4 version 2.79 in the zip archive here
0 kommentar(er)
