Backdooring your server through its BMC: the HPE iLO4 case — Alexandre Gazet, Fabien Perigaud, Joffrey Czarny
Date : 13 juin 2018 à 11:30 — 30 min.
iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides the features required by a system administrator to remotely manage a server without having to physically reach it. iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9) runs on a dedicated ARM micro-processor embedded in the server, totally independent from the main processor.
We performed an initial deep dive security study of HP iLO4 and covered the following topics: firmware unpacking and memory layout, embedded OS internals, vulnerability discovery and exploitation as well as full compromise of the host server operating system through DMA.
One of the main outcome of our study was the discovery of a critical vulnerability in the web server component allowing an authentication bypass but also a remote code execution. Still, one question remains open, namely; are the iLO systems resilient against a long term compromise at firmware level. For this reason, this paper is focused on the update mechanism and how a motivated attacker can achieve long term persistence on the system; how a new/backdoored firmware can be crafted then installed, to offer an attacker a stealth and resilient backdoor in an environment which has been compromised.