backdooring your server through its bmc the hpe ilo4 case
play

Backdooring your server through its BMC : the HPE iLO4 case Fabien - PowerPoint PPT Presentation

Nov 07, 2022 •210 likes •658 views

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet & Jofgrey Czarny Rennes, June 13-15 , 2018 Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 1 HP

  1. Backdooring your server through its BMC : the HPE iLO4 case Fabien Périgaud, Alexandre Gazet & Jofgrey Czarny Rennes, June 13-15 , 2018

  2. Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 1

  3. HP Integrated Lights-Out ( iLO ) • Baseboard Management Controller ( BMC ) embedded in most of HP servers for more than 10 years. Figure 1: Directly integrated on the server’s motherboard This talk only concerns iLO version 4 (last version until mid-2017) found on generations HP ProLiant Gen8 and Gen9 . Analyzes were more specifjcally performed on versions 2.44 et 2.50 of iLO4 . 2

  4. Hardware level (1/2) Standalone system : • Dedicated ARM processor: GLP/Sabine architecture • Firmware stored on a NAND fmash chip • Dedicated RAM chip • Dedicated network interface • Full operating system and applicative image, running as soon as the server is powered. 3

  5. Hardware level (2/2) iLO is directly connected to the PCI-Express bus. 4

  6. Theory Source: Managing HP servers through fjrewalls with Insight Software 1 1 ftp://ftp.hp.com/pub/c-products/servers/management/hpsim/hpsim-53-managing-firewalls.pdf 5

  7. Pratice 6

  8. Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 7

  9. Previous works - Demo Demo 8

  10. Methodology • Firmware update fjle format analysis • Extraction of its components: bootloader, kernel, userland image, signatures, etc. • Kernel Integrity analysis • Understanding of the memory layout of the userland modules (equivalent of processes) • Analysis of the web administration interface • Total time of the study, approximately 5 man-months Publication and tooling • https://github.com/airbus-seclab/ilo4_toolbox 9 • https://recon.cx/2018/brussels/talks/subvert_server_bmc.html

  11. Achievements One critical vulnerability identifjed • CVE-2017-12542 , CVSSv3 9.8 • Fixed in iLO 4 version 2.53 (buggy) and 2.54 Full server compromise • Arbitrary code execution in the context of the web server • iLO to host attack 10 • Authentication bypass and remote code execution

  12. Explications Vulnerability located in the web server • Handling of HTTP line by line • Many uses of C string handling manipulation functions: • strstr() • strcmp() • Handling strings in C is complex and error-prone 11 • sscanf()

  13. How to properly use sscanf() ? 9 } 15 sscanf(http_header , "%*s %s", https_connection ->connection); 14 { 13 else if ( !strnicmp(request, http_header , "Connection:", 0xBu) ) 12 } 11 handle_authorization_credentials(method, encoded_credentials); 10 sscanf(http_header , "%*s %15s %16383s", method, encoded_credentials); { 1 8 else if ( !strnicmp(request, http_header , "Authorization:", 0xEu) ) 7 } 6 state_set_content_length(global_struct_ , content_length); 5 sscanf(http_header , "%*s %d", &content_length); 4 content_length = 0; 3 { 2 else if ( !strnicmp(request, http_header , "Content-length:", 0xFu) ) 12

  14. • Overwriting the boolean localConnection : bypass of the REST API Bufger overfmow } • Web server working bufger at a fjxed address • No NX , no ASLR • Overwriting the vtable pointer: arbitrary code execution curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" :) authentication Double cheese ! 0xB8: void *vtable; The vulnerability allows to overfmow the connection bufger of an https_connection ... 0x28: char localConnection; ... 0x0C: char connection[0x10]; ... struct https_connection { object. 13

  15. Bufger overfmow } • Web server working bufger at a fjxed address • No NX , no ASLR • Overwriting the vtable pointer: arbitrary code execution curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" :) authentication • Overwriting the boolean localConnection : bypass of the REST API Double cheese ! 0xB8: void *vtable; The vulnerability allows to overfmow the connection bufger of an https_connection ... 0x28: char localConnection; ... 0x0C: char connection[0x10]; ... struct https_connection { object. 13

  16. Bufger overfmow } • Web server working bufger at a fjxed address • No NX , no ASLR • Overwriting the vtable pointer: arbitrary code execution curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" :) authentication • Overwriting the boolean localConnection : bypass of the REST API Double cheese ! 0xB8: void *vtable; The vulnerability allows to overfmow the connection bufger of an https_connection ... 0x28: char localConnection; ... 0x0C: char connection[0x10]; ... struct https_connection { object. 13

  17. How-to DMA : CHIF module Analysis of a module: CHIF ( Channel Interface ) • Ability to read WHEA information from the host OS • Direct (read) access to the host memory Feature analysis PCI register • Writing to this mapped memory also impact the host memory • Re-implement this mechanism in a shellcode executed in the context of the iLO WWW server 14 • 16MB of the host memory can be mapped into the iLO memory using an unknown

  18. Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 15

  19. Battle plan Current status • Full platform compromise • Arbitrary code execution on the iLO and the host • RW primitives to the host memory from the iLO Our objective • Survive host re-installation • Stealthiness Idea iLO fjrmware backdooring 16 • Persistent compromise

  20. Firmware update • Update mechanisms: • Dedicated interface from the web administration panel • From the host, using a dedicated binary • Firmware updates are signed • Integrity checked at two distinct times: • Dynamically, during the update process, by the currently running iLO • At boot-time, no hardware root of trust though 17

  21. Bypass of the update mechanism • Modules can expose services • These services can be instantiated as object SPI service • Direct R/W primitives into the SPI fmash Attack • Invoke the“ SpiService ” from a shellcode injected into the WWW server • Direct overwrite of the fjrmware in the fmash • Bypass of the dynamic integrity check of the fjrmware 18 • “ SpiService ” in the spi module

  22. At this point, a rogue fjrmware is written in the fmash. Attach scheme 19 HTTP Web server SpiService SPI module ILO 4

  23. 20 System boot-time userland 1.check integrity 2.decompress 3.load kernel 1.check integrity 2.decompress 3.load bootloader HW reset ILO4 bootchain

  24. The up-coming compromise Methodology 21 fjrmware update 1.check integrity • Full extraction of the 2.decompress userland 3.load kernel 1.check integrity 2.decompress 3.load bootloader hardware reset iLO4

  25. The up-coming compromise bootloader Methodology 21 • Patch of the fjrmware update 1.check integrity • Full extraction of the 2.decompress userland 3.load kernel 1.check integrity 2.decompress 3.load bootloader hardware reset iLO4

  26. The up-coming compromise bootloader Methodology • Patch of the kernel 21 • Patch of the fjrmware update 1.check integrity • Full extraction of the 2.decompress userland 3.load kernel 1.check integrity 2.decompress 3.load bootloader hardware reset iLO4

  27. The up-coming compromise backdoor Methodology • Flash of the fjrmware update • Rebuild the fjrmware 21 • Addition of a bootloader • Patch of the fjrmware update • Patch of the kernel backdoor 1.check integrity • Full extraction of the 2.decompress userland 3.load kernel 1.check integrity 2.decompress 3.load bootloader hardware reset iLO4

  28. Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 22

  29. Target WWW server • High-level network/ HTTP communication primitives • Ability to access the host memory through DMA (demonstrated) • Large binary 23 • Frequently exposed

  30. How to insert the backdoor ? The WWW server handles many pages, like • /html/help.html • /dbug.html • /html/info_blade.html • /html/admin_manage.html Internally represented by structures; a dedicated pointer for each supported HTTP method ( GET , POST , PUT , DELETE , HEAD ). 24

  31. How to insert the backdoor ? (2) • Insert code in an unused space of the WWW server binary • Highjack pointers ( GET et POST ) from a page handler to point to our code 25

  32. Backdoor architecture We want a bidirectional channel between the iLO and the Linux host, through the DMA link. 26

  33. Web server implant Code injection • Insert code in unused space of the binary: content of a downloadable PE fjle Features • R/W primitive in the host physical memory • Re-use web server functions to parse/handle request 27 • Overwrite the GET request handler

  34. • Create a new kernel thread : kthread_create_on_node() / wake_up_process() Linux kernel implant Specifjcations • Allocate physical memory for the communication channel • Retrieve and execute commands • Retrieve commands output Kernel API • Physical memory allocation: kmalloc() / virt_to_phys() • Run commands : call_usermodehelper() • Retrieve their output : redirection into a temp fjle, then kernel_read_file_from_path() 28 • Create a new kernel thread

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian) DISCLAIMER We are not terrorists . We won't release our PoC backdoor. The x86 architecture is plagued by legacy. Governments know.

525 views • 37 slides
Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security

Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security

Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security Conference End of November 2015 Buenos Aires, Argentina www.andsec.org An idea back in 1995... Locking a computer using hardware An idea back in

742 views • 40 slides
The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of Luxembourg ralf-philipp.weinmann@uni.lu Targets. Targets. You can be one, too. Assume I briefly have physical access your laptop. #FAIL for you, I

327 views • 30 slides
Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

E LIOM Tierless Web programming from the ground up Gabriel R ADANNE Jrme V OUILLON Vincent B ALAT Vasilis P APAVASILEIOU Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server DOM 2 2 / 22 1

778 views • 42 slides
Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Chanwoo Chung , Jinhyung Koo, Junsu Im, Arvind , and Sungjin Lee DGIST and MIT NVRAMOS 19 2019.10.24 DATA -INTENSIVE COMPUTING SYSTEMS LAB ORATORY Computation Application Application Application Application Application

597 views • 48 slides
1 Handling Return Traffic Handling Return Traffic URL Switching URL Switching Idea: switch

1 Handling Return Traffic Handling Return Traffic URL Switching URL Switching Idea: switch

The Server Selection Problem The Server Selection Problem server array A server farm B Which server? Server Traffic Management Server Traffic Management not-so-great solutions static client binding manual selection HTTP forwarding Jeff

810 views • 3 slides
Just Say NO to Paxos Overhead: Replacing Consensus with Network Ordering Jialin Li , Ellis

Just Say NO to Paxos Overhead: Replacing Consensus with Network Ordering Jialin Li , Ellis

Just Say NO to Paxos Overhead: Replacing Consensus with Network Ordering Jialin Li , Ellis Michael, Naveen Kr. Sharma, Adriana Szekeres, Dan R. K. Ports Server failures are the common case in data centers Server failures are the common case

836 views • 66 slides
SERVER SKY Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com

SERVER SKY Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com

SERVER SKY Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com 2009 September 26 Abstract It is easier to move bits than atoms or energy. Server-sats are ultralight disks of silicon that convert sunlight

269 views • 24 slides
Server Traffic Management Server Traffic Management Jeff Chase Duke University, Department of

Server Traffic Management Server Traffic Management Jeff Chase Duke University, Department of

Server Traffic Management Server Traffic Management Jeff Chase Duke University, Department of Computer Science CPS 212: Distributed Information Systems The Server Selection Problem The Server Selection Problem server array A server farm B

430 views • 14 slides
SERVER SKY - Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com

SERVER SKY - Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com

SERVER SKY - Computation in Orbit Keith Lofstrom keithl@ kl-ic.com http://server-sky.com 2009 September 28 Abstract It is easier to move bits than atoms or energy. Server-sats are ultra-thin disks of silicon in earth orbit, powered by

473 views • 12 slides
Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its

Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its

Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its interface Three main concerns Identifies itself to network name server Parameter passing Tells local runtime its dispatcher address Failure cases Import

115 views • 7 slides
File System Client and Server Server response (e.g., file block) request (e.g., read) Client

File System Client and Server Server response (e.g., file block) request (e.g., read) Client

COMP 790-088 -- Distributed File Systems With Case Studies: Andrew and Google COMP 790-088 -- Fall 2009 1 1 File System Client and Server Server response (e.g., file block) request (e.g., read) Client COMP 790-088 -- Fall 2009 2 2

284 views • 9 slides
Model and Motivation Many-server queue buffer N Many-server Queues with Abandonment / Jiheng

Model and Motivation Many-server queue buffer N Many-server Queues with Abandonment / Jiheng

F LUID M ODELS OF M ANY - SERVER Q UEUES WITH A BANDONMENT Jiheng Zhang June 10, 2010 Background Stochastic Model Fluid Model Functional LLN Approximations Model and Motivation Many-server queue buffer N Many-server Queues with

789 views • 59 slides
Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light weight web server is Apache Tomcat server. You can get the server from http://tomcat.apache.org/ 2. Follow the installation directions and install the

199 views • 5 slides
Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light weight web server is Apache Tomcat server. You can get the server from http://tomcat.apache.org/ 2. Follow the installation directions and install the

81 views • 5 slides
Server algorithms and their design many ways that a client/server can be designed each different

Server algorithms and their design many ways that a client/server can be designed each different

slide 1 gaius Server algorithms and their design many ways that a client/server can be designed each different algorithm has various benefits and problems are able to classify these algorithms by looking at the various server differences the

400 views • 25 slides
Data Processing on Modern Hardware Jens Teubner, TU Dortmund, DBIS Group

Data Processing on Modern Hardware Jens Teubner, TU Dortmund, DBIS Group

Data Processing on Modern Hardware Jens Teubner, TU Dortmund, DBIS Group jens.teubner@cs.tu-dortmund.de Summer 2015 Jens Teubner Data Processing on Modern Hardware Summer 2015 c 1 Part V Vectorization Jens Teubner Data

619 views • 35 slides
ROHC Implementation Experience mark.a.west@roke.co.uk Mark West 1 s s Roke Manor Overview

ROHC Implementation Experience mark.a.west@roke.co.uk Mark West 1 s s Roke Manor Overview

Research Manor Roke ROHC Implementation Experience mark.a.west@roke.co.uk Mark West 1 s s Roke Manor Overview Research ! First steps towards a full ROHC implementation ! Initial feel for memory and processor load ! Updating original

409 views • 10 slides
DIANA Contributions Update Brian Bockelman Including work from Jim Pivarski, Oksana Shadura, and

DIANA Contributions Update Brian Bockelman Including work from Jim Pivarski, Oksana Shadura, and

DIANA Contributions Update Brian Bockelman Including work from Jim Pivarski, Oksana Shadura, and Zhe Zhang DIANA Contributions (Since July) Since the F2F meeting, DIANA contributions have focused on the following areas: Parallelism :

342 views • 16 slides
Compression Bombs Strike Back Giancarlo Pellegrino gpellegrino@mmci.uni-saarland.de BeNeLux

Compression Bombs Strike Back Giancarlo Pellegrino gpellegrino@mmci.uni-saarland.de BeNeLux

Compression Bombs Strike Back Giancarlo Pellegrino gpellegrino@mmci.uni-saarland.de BeNeLux OWASP Day 2016 November 25 th , Leuven, Belgium About Me Post doctoral researcher of the System Security group at CISPA, Saarland University,

861 views • 56 slides
Support for mini-debuginfo in LLDB How to read the .gnu_debugdata section Konrad Kleine February

Support for mini-debuginfo in LLDB How to read the .gnu_debugdata section Konrad Kleine February

Support for mini-debuginfo in LLDB How to read the .gnu_debugdata section Konrad Kleine February 2, 2020 Red Hat - LLDB 1/10 Overall goal Improve LLDB for Fedora and RHEL release binaries 1 when no debug symbols installed not all

300 views • 18 slides
SMB3 Protocol Update Tom Talpey Microsoft Corporation 1 Outline SMB3 Protocol changes

SMB3 Protocol Update Tom Talpey Microsoft Corporation 1 Outline SMB3 Protocol changes

SMB3 Protocol Update Tom Talpey Microsoft Corporation 1 Outline SMB3 Protocol changes SMB3 Protocol futures Possible Microsoft/Samba collaborations sambaXP 2019 Gttingen 2 SMB3 Protocol Changes sambaXP 2019 Gttingen 3

977 views • 36 slides
Codec Chips Tribute to Prof. Goto Jinjia Zhou 1 , Dajiang Zhou 2 , Satoshi Goto 2 1 Hosei

Codec Chips Tribute to Prof. Goto Jinjia Zhou 1 , Dajiang Zhou 2 , Satoshi Goto 2 1 Hosei

100x Evolution of Vid ideo Codec Chips Tribute to Prof. Goto Jinjia Zhou 1 , Dajiang Zhou 2 , Satoshi Goto 2 1 Hosei University, Tokyo, Japan 2 Waseda University, Kitakyushu, Japan Prof. Goto has been my supervisor from 2008 to 2015. (M.S ->

464 views • 27 slides
Office Hours: COVID-19 Planning and Response May 15, 2020 Housekeeping A recording of

Office Hours: COVID-19 Planning and Response May 15, 2020 Housekeeping A recording of

Office Hours: COVID-19 Planning and Response May 15, 2020 Housekeeping A recording of todays session, along with the slide deck and a copy of the Chat and Q&A content will be posted to the HUD Exchange within 2-3 business days

688 views • 34 slides

More recommend