backdooring your server through its bmc the hpe ilo4 case
play

Backdooring your server through its BMC : the HPE iLO4 case Fabien - PowerPoint PPT Presentation

Nov 07, 2022 •210 likes •658 views

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet & Jofgrey Czarny Rennes, June 13-15 , 2018 Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 1 HP

  1. Backdooring your server through its BMC : the HPE iLO4 case Fabien Périgaud, Alexandre Gazet & Jofgrey Czarny Rennes, June 13-15 , 2018

  2. Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 1

  3. HP Integrated Lights-Out ( iLO ) • Baseboard Management Controller ( BMC ) embedded in most of HP servers for more than 10 years. Figure 1: Directly integrated on the server’s motherboard This talk only concerns iLO version 4 (last version until mid-2017) found on generations HP ProLiant Gen8 and Gen9 . Analyzes were more specifjcally performed on versions 2.44 et 2.50 of iLO4 . 2

  4. Hardware level (1/2) Standalone system : • Dedicated ARM processor: GLP/Sabine architecture • Firmware stored on a NAND fmash chip • Dedicated RAM chip • Dedicated network interface • Full operating system and applicative image, running as soon as the server is powered. 3

  5. Hardware level (2/2) iLO is directly connected to the PCI-Express bus. 4

  6. Theory Source: Managing HP servers through fjrewalls with Insight Software 1 1 ftp://ftp.hp.com/pub/c-products/servers/management/hpsim/hpsim-53-managing-firewalls.pdf 5

  7. Pratice 6

  8. Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 7

  9. Previous works - Demo Demo 8

  10. Methodology • Firmware update fjle format analysis • Extraction of its components: bootloader, kernel, userland image, signatures, etc. • Kernel Integrity analysis • Understanding of the memory layout of the userland modules (equivalent of processes) • Analysis of the web administration interface • Total time of the study, approximately 5 man-months Publication and tooling • https://github.com/airbus-seclab/ilo4_toolbox 9 • https://recon.cx/2018/brussels/talks/subvert_server_bmc.html

  11. Achievements One critical vulnerability identifjed • CVE-2017-12542 , CVSSv3 9.8 • Fixed in iLO 4 version 2.53 (buggy) and 2.54 Full server compromise • Arbitrary code execution in the context of the web server • iLO to host attack 10 • Authentication bypass and remote code execution

  12. Explications Vulnerability located in the web server • Handling of HTTP line by line • Many uses of C string handling manipulation functions: • strstr() • strcmp() • Handling strings in C is complex and error-prone 11 • sscanf()

  13. How to properly use sscanf() ? 9 } 15 sscanf(http_header , "%*s %s", https_connection ->connection); 14 { 13 else if ( !strnicmp(request, http_header , "Connection:", 0xBu) ) 12 } 11 handle_authorization_credentials(method, encoded_credentials); 10 sscanf(http_header , "%*s %15s %16383s", method, encoded_credentials); { 1 8 else if ( !strnicmp(request, http_header , "Authorization:", 0xEu) ) 7 } 6 state_set_content_length(global_struct_ , content_length); 5 sscanf(http_header , "%*s %d", &content_length); 4 content_length = 0; 3 { 2 else if ( !strnicmp(request, http_header , "Content-length:", 0xFu) ) 12

  14. • Overwriting the boolean localConnection : bypass of the REST API Bufger overfmow } • Web server working bufger at a fjxed address • No NX , no ASLR • Overwriting the vtable pointer: arbitrary code execution curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" :) authentication Double cheese ! 0xB8: void *vtable; The vulnerability allows to overfmow the connection bufger of an https_connection ... 0x28: char localConnection; ... 0x0C: char connection[0x10]; ... struct https_connection { object. 13

  15. Bufger overfmow } • Web server working bufger at a fjxed address • No NX , no ASLR • Overwriting the vtable pointer: arbitrary code execution curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" :) authentication • Overwriting the boolean localConnection : bypass of the REST API Double cheese ! 0xB8: void *vtable; The vulnerability allows to overfmow the connection bufger of an https_connection ... 0x28: char localConnection; ... 0x0C: char connection[0x10]; ... struct https_connection { object. 13

  16. Bufger overfmow } • Web server working bufger at a fjxed address • No NX , no ASLR • Overwriting the vtable pointer: arbitrary code execution curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" :) authentication • Overwriting the boolean localConnection : bypass of the REST API Double cheese ! 0xB8: void *vtable; The vulnerability allows to overfmow the connection bufger of an https_connection ... 0x28: char localConnection; ... 0x0C: char connection[0x10]; ... struct https_connection { object. 13

  17. How-to DMA : CHIF module Analysis of a module: CHIF ( Channel Interface ) • Ability to read WHEA information from the host OS • Direct (read) access to the host memory Feature analysis PCI register • Writing to this mapped memory also impact the host memory • Re-implement this mechanism in a shellcode executed in the context of the iLO WWW server 14 • 16MB of the host memory can be mapped into the iLO memory using an unknown

  18. Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 15

  19. Battle plan Current status • Full platform compromise • Arbitrary code execution on the iLO and the host • RW primitives to the host memory from the iLO Our objective • Survive host re-installation • Stealthiness Idea iLO fjrmware backdooring 16 • Persistent compromise

  20. Firmware update • Update mechanisms: • Dedicated interface from the web administration panel • From the host, using a dedicated binary • Firmware updates are signed • Integrity checked at two distinct times: • Dynamically, during the update process, by the currently running iLO • At boot-time, no hardware root of trust though 17

  21. Bypass of the update mechanism • Modules can expose services • These services can be instantiated as object SPI service • Direct R/W primitives into the SPI fmash Attack • Invoke the“ SpiService ” from a shellcode injected into the WWW server • Direct overwrite of the fjrmware in the fmash • Bypass of the dynamic integrity check of the fjrmware 18 • “ SpiService ” in the spi module

  22. At this point, a rogue fjrmware is written in the fmash. Attach scheme 19 HTTP Web server SpiService SPI module ILO 4

  23. 20 System boot-time userland 1.check integrity 2.decompress 3.load kernel 1.check integrity 2.decompress 3.load bootloader HW reset ILO4 bootchain

  24. The up-coming compromise Methodology 21 fjrmware update 1.check integrity • Full extraction of the 2.decompress userland 3.load kernel 1.check integrity 2.decompress 3.load bootloader hardware reset iLO4

  25. The up-coming compromise bootloader Methodology 21 • Patch of the fjrmware update 1.check integrity • Full extraction of the 2.decompress userland 3.load kernel 1.check integrity 2.decompress 3.load bootloader hardware reset iLO4

  26. The up-coming compromise bootloader Methodology • Patch of the kernel 21 • Patch of the fjrmware update 1.check integrity • Full extraction of the 2.decompress userland 3.load kernel 1.check integrity 2.decompress 3.load bootloader hardware reset iLO4

  27. The up-coming compromise backdoor Methodology • Flash of the fjrmware update • Rebuild the fjrmware 21 • Addition of a bootloader • Patch of the fjrmware update • Patch of the kernel backdoor 1.check integrity • Full extraction of the 2.decompress userland 3.load kernel 1.check integrity 2.decompress 3.load bootloader hardware reset iLO4

  28. Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 22

  29. Target WWW server • High-level network/ HTTP communication primitives • Ability to access the host memory through DMA (demonstrated) • Large binary 23 • Frequently exposed

  30. How to insert the backdoor ? The WWW server handles many pages, like • /html/help.html • /dbug.html • /html/info_blade.html • /html/admin_manage.html Internally represented by structures; a dedicated pointer for each supported HTTP method ( GET , POST , PUT , DELETE , HEAD ). 24

  31. How to insert the backdoor ? (2) • Insert code in an unused space of the WWW server binary • Highjack pointers ( GET et POST ) from a page handler to point to our code 25

  32. Backdoor architecture We want a bidirectional channel between the iLO and the Linux host, through the DMA link. 26

  33. Web server implant Code injection • Insert code in unused space of the binary: content of a downloadable PE fjle Features • R/W primitive in the host physical memory • Re-use web server functions to parse/handle request 27 • Overwrite the GET request handler

  34. • Create a new kernel thread : kthread_create_on_node() / wake_up_process() Linux kernel implant Specifjcations • Allocate physical memory for the communication channel • Retrieve and execute commands • Retrieve commands output Kernel API • Physical memory allocation: kmalloc() / virt_to_phys() • Run commands : call_usermodehelper() • Retrieve their output : redirection into a temp fjle, then kernel_read_file_from_path() 28 • Create a new kernel thread

Recommend

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian) DISCLAIMER We are not terrorists . We won't release our PoC backdoor. The x86 architecture is plagued by legacy. Governments know.

525 views • 37 slides
Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security

Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security

Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security Conference End of November 2015 Buenos Aires, Argentina www.andsec.org An idea back in 1995... Locking a computer using hardware An idea back in

742 views • 40 slides
The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of Luxembourg ralf-philipp.weinmann@uni.lu Targets. Targets. You can be one, too. Assume I briefly have physical access your laptop. #FAIL for you, I

327 views • 30 slides
Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

E LIOM Tierless Web programming from the ground up Gabriel R ADANNE Jrme V OUILLON Vincent B ALAT Vasilis P APAVASILEIOU Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server DOM 2 2 / 22 1

778 views • 42 slides
Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Chanwoo Chung , Jinhyung Koo, Junsu Im, Arvind , and Sungjin Lee DGIST and MIT NVRAMOS 19 2019.10.24 DATA -INTENSIVE COMPUTING SYSTEMS LAB ORATORY Computation Application Application Application Application Application

597 views • 48 slides
1 Handling Return Traffic Handling Return Traffic URL Switching URL Switching Idea: switch

1 Handling Return Traffic Handling Return Traffic URL Switching URL Switching Idea: switch

The Server Selection Problem The Server Selection Problem server array A server farm B Which server? Server Traffic Management Server Traffic Management not-so-great solutions static client binding manual selection HTTP forwarding Jeff

810 views • 3 slides
Just Say NO to Paxos Overhead: Replacing Consensus with Network Ordering Jialin Li , Ellis

Just Say NO to Paxos Overhead: Replacing Consensus with Network Ordering Jialin Li , Ellis

Just Say NO to Paxos Overhead: Replacing Consensus with Network Ordering Jialin Li , Ellis Michael, Naveen Kr. Sharma, Adriana Szekeres, Dan R. K. Ports Server failures are the common case in data centers Server failures are the common case

836 views • 66 slides
SERVER SKY Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com

SERVER SKY Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com

SERVER SKY Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com 2009 September 26 Abstract It is easier to move bits than atoms or energy. Server-sats are ultralight disks of silicon that convert sunlight

269 views • 24 slides
Server Traffic Management Server Traffic Management Jeff Chase Duke University, Department of

Server Traffic Management Server Traffic Management Jeff Chase Duke University, Department of

Server Traffic Management Server Traffic Management Jeff Chase Duke University, Department of Computer Science CPS 212: Distributed Information Systems The Server Selection Problem The Server Selection Problem server array A server farm B

430 views • 14 slides
SERVER SKY - Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com

SERVER SKY - Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com

SERVER SKY - Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com 2009 September 28 Abstract It is easier to move bits than atoms or energy. Server-sats are ultra-thin disks of silicon in earth orbit, powered by

473 views • 12 slides
Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its

Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its

Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its interface Three main concerns Identifies itself to network name server Parameter passing Tells local runtime its dispatcher address Failure cases Import

115 views • 7 slides
File System Client and Server Server response (e.g., file block) request (e.g., read) Client

File System Client and Server Server response (e.g., file block) request (e.g., read) Client

COMP 790-088 -- Distributed File Systems With Case Studies: Andrew and Google COMP 790-088 -- Fall 2009 1 1 File System Client and Server Server response (e.g., file block) request (e.g., read) Client COMP 790-088 -- Fall 2009 2 2

284 views • 9 slides
Model and Motivation Many-server queue buffer N Many-server Queues with Abandonment / Jiheng

Model and Motivation Many-server queue buffer N Many-server Queues with Abandonment / Jiheng

F LUID M ODELS OF M ANY - SERVER Q UEUES WITH A BANDONMENT Jiheng Zhang June 10, 2010 Background Stochastic Model Fluid Model Functional LLN Approximations Model and Motivation Many-server queue buffer N Many-server Queues with

789 views • 59 slides
Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light weight web server is Apache Tomcat server. You can get the server from http://tomcat.apache.org/ 2. Follow the installation directions and install the

199 views • 5 slides
Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light weight web server is Apache Tomcat server. You can get the server from http://tomcat.apache.org/ 2. Follow the installation directions and install the

81 views • 5 slides
Server algorithms and their design many ways that a client/server can be designed each different

Server algorithms and their design many ways that a client/server can be designed each different

slide 1 gaius Server algorithms and their design many ways that a client/server can be designed each different algorithm has various benefits and problems are able to classify these algorithms by looking at the various server differences the

400 views • 25 slides
CS 6453: Parameter Server Soumya Basu March 7, 2017 What is a Parameter Server? Server for

CS 6453: Parameter Server Soumya Basu March 7, 2017 What is a Parameter Server? Server for

CS 6453: Parameter Server Soumya Basu March 7, 2017 What is a Parameter Server? Server for large scale machine learning problems Machine learning tasks in a nutshell: Feature (1, 1, 1) Training Extraction (2, -1, 3) (5, 6, 7)

520 views • 21 slides
Server Upgrades 6/25/19 Agenda Existing Server Infrastructure Reasons for upgrading

Server Upgrades 6/25/19 Agenda Existing Server Infrastructure Reasons for upgrading

Revised 6/25/2019 Server Upgrades 6/25/19 Agenda Existing Server Infrastructure Reasons for upgrading Options & Budget Best Solution Server Upgrades 1 1 6/25/2019 Existing Server Infrastructure Server 1: Purchased

277 views • 10 slides
Scheduling Aperiodic and Sporadic Jobs Definitions Polling Server Deferrable Server

Scheduling Aperiodic and Sporadic Jobs Definitions Polling Server Deferrable Server

CPSC-663: Real-Time Systems Aperiodic and Sporadic Jobs Scheduling Aperiodic and Sporadic Jobs Definitions Polling Server Deferrable Server Sporadic Server Generalized Processor Sharing Constant Utilization Server

267 views • 23 slides
Micro Kernel Mach User Process File Server Mem Server Kernel Client-Server Good

Micro Kernel Mach User Process File Server Mem Server Kernel Client-Server Good

Operating System Introduction (Ch 1.1-1.8, 2.1-2.8) Topics What is an OS? OS History OS Concepts OS Structures 1 Lets Get Started! What are some OSes you know? Guess if you are not sure Pick an OS you know:

634 views • 18 slides
Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What

Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What

Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as a server while talking with

365 views • 32 slides
OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides
DB server limits (process/sessions) DB server limits (process/sessions) Carlos Fernando Gamboa,

DB server limits (process/sessions) DB server limits (process/sessions) Carlos Fernando Gamboa,

DB server limits (process/sessions) DB server limits (process/sessions) Carlos Fernando Gamboa, BNL Andrew Wong, TRIUMF WLCG Collaboration Workshop, CERN Geneva, April 2008. DB server limits (process/sessions) DB server limits

472 views • 21 slides
Table of Contents Java Server Faces 3/4 tier architecture MVC AWT Java Server Faces 3)

Table of Contents Java Server Faces 3/4 tier architecture MVC AWT Java Server Faces 3)

Table of Contents Java Server Faces 3/4 tier architecture MVC AWT Java Server Faces 3) JSF in Action Example: Hello Boss Install Java Server Faces Emmanuel Benoist Motivations Fall Term 2016-17 Navigation Command-Link and

361 views • 15 slides

More recommend