Skip to content

HP iLO 4 Auth Bypass Scanner (CVE_2017_12542)

The HP iLO 4 Auth Bypass Scanner tests target hosts for CVE-2017-12542, an authentication-bypass vulnerability in HP iLO 4 management interfaces (HTTPS on port 443). The exploit is delightfully simple: an HTTP GET to /rest/v1/AccountService/Accounts with a Connection header containing exactly 29 "A" characters crashes the iLO authentication state machine and returns the full list of user accounts — including password hashes — without any credentials.

Each result row contains the target IP, the URL that was tested and a IS_VULNERABLE boolean.

A confirmed vulnerability gives an attacker complete unauthenticated control of the iLO management interface: read iLO credentials, reset the host server, mount virtual media, install firmware, and ultimately control the bare-metal hardware. HP iLO 4 firmware versions prior to 2.54 are affected.

Test responsibly

The exploit is benign in itself — it just leaks data — but it does crash the auth state on some firmware revisions. Run only against assets you are authorised to test, and avoid running it during change windows where iLO availability matters.

Discovery first

iLO 4 is normally exposed on port 443. Use portscan followed by httpheader or httpfinger to spot iLO interfaces before pointing this scanner at them.

Parameters

Normal Parameters

targets

Specifies the targets to scan. The scanner always probes port 443 over HTTPS.

A list of targets can be specified in the following formats:

  • ID: ID of the target server from the targets window.
  • IP: Single IP address (e.g., 192.168.1.1).
  • CIDR: IP range in CIDR notation (e.g., 192.168.1.0/24).
  • Hostname: Resolvable hostname.
  • File: Path to a file containing targets (must be in OctoPwn’s /browserefs/volatile directory). File lists need to be uploaded into OctoPwn and separated by newlines.
  • Control word: Use all to scan all stored targets.
  • Single Group: g:<groupname> (e.g., g:test1).
  • Multiple Groups: g:<groupname1>,g:<groupname2> (e.g., g:test1,g:test2).
  • Port Group: p:<port> (e.g., p:443).
  • Port Group with Protocol: p:<port>/<protocol> (e.g., p:443/tcp).

Advanced Parameters

maxruntime

Specifies the maximum runtime per host (in seconds). Set to -1 to disable.

proxy

Specifies the proxy ID to use for the scan.

Enter the ID of the proxy to route the scan through. Proxies must be configured in the Proxy Window.

resultsfile

Specifies a file for saving the scan results.

The file will be saved in OctoPwn’s /browserefs/volatile directory.

showerrors

Determines whether errors encountered during the scan should be displayed.

timeout

Sets the timeout (in seconds) for each connection attempt.

triggerports

Ports which trigger an automated CVE-2017-12542 scan when discovered by other scanners. Pre-populated with 443/TCP.

workercount

Specifies the number of parallel workers for the scan.

wsnetreuse

Internal parameter. Do not modify.