Slashdot Mirror
Critical Bug Last Year Allowed Bypassing Authentication On HPE ILO4 Servers With 29 'A' Characters (bleepingcomputer.com)
Public exploit code has been published for a severe vulnerability which last year affected Hewlett Packard Integrated Lights-Out 4 (HP iLO 4), a tool for remotely managing the company's servers.
HPE "silently released" patches last August, an anonymous reader reports, adding "details only emerged this spring after researchers started presenting their work at security conferences." The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles. Researchers say this access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware. But besides being a remotely exploitable flaw, this vulnerability is also as easy as it gets when it comes to exploitation, requiring a cURL request and 29 letter "A" characters, as below:
curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Because of its simplicity and remote exploitation factor, the vulnerability — tracked as CVE-2017-12542 — received a severity score of 9.8 out of 10.
HPE "silently released" patches last August, an anonymous reader reports, adding "details only emerged this spring after researchers started presenting their work at security conferences." The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles. Researchers say this access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware. But besides being a remotely exploitable flaw, this vulnerability is also as easy as it gets when it comes to exploitation, requiring a cURL request and 29 letter "A" characters, as below:
curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Because of its simplicity and remote exploitation factor, the vulnerability — tracked as CVE-2017-12542 — received a severity score of 9.8 out of 10.
You may have hears the phrase "garbage in, garbage out".
That's how programmers used to think. The design and test code try to make it work right, when the user uses it right, of course. If the user mashes keys at random, random things might happen. That used to be an okay way of thinking.
The internet has changed that. Now the user (connecting over the internet) WILL mash keys at random. Well, their script will send random bytes. It's no longer okay for software to respond in random ways when it receives random input. Any software accessible via the network MUST be designed thinking about how things can go wrong, not just about how it should work correctly.
Many programmers, especially those who learned writing desktop applications, still think in terms of the program doing the right thing when it receives sane input. Insane input isn't handled securely. The programmers who wrote the ilo software made this mistake.
Specifically, the input is up to 16 characters long, so they failed to handle the case of very long input. Network. Software should be tested with these inputs, at least:
Empty input
Zero
The null character (ASCII 0)
Very long input