SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   HP Web Jetadmin Vendors:   HPE
HP Web Jetadmin ExecuteFile Function Lets Remote Users Execute Programs With Root/SYSTEM Privileges
SecurityTracker Alert ID:  1009960
SecurityTracker URL:  http://securitytracker.com/id/1009960
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 27 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via network
Exploit Included:  Yes  
Version(s): 6.2, 6.5, 7.0
Description:   Several vulnerabilities were reported in HP Web Jetadmin. In the most serious case, a remote user can gain root or SYSTEM level access on the target system.

FX of Phenoelit Group reported a whole series of flaws in version 6.5, some of which also apply to version 7.0.

It is reported that a remote user can connect to the target server and supply a URL followed by the period character '.' to view the contents of hts scripts. A demonstration exploit URL is provided:

http://server:8000/plugins/hpjwja/script/devices_list.hts.

It is reported that pages generated by the '.hts' scripts disclose the installation path and the location of the 'framework.ini' file in a comment line. The 'framework.ini' file can be accessed by remote users and contains weakly encrypted passwords, the report said. A demonstration exploit URL is provided:

http://server:8000/plugins/framework/framework.ini

The encryption method allows a remote user to monitor encrypted passwords as they are transmitted over the network and then replay them at a later time to gain access to the system. A remote user can also modify the encrypted string value to cause the target service to hang.

It is also reported that a remote user can submit a specially crafted HTTP POST request that does not include the 'Framework:CheckPassword;' element in the 'obj' variable to cause the system to accept the POST command without authentication. These POST requests can be used by a remote user to access internal functions.

The report indicates that a remote user can submit a specially crafted POST request to write user-controlled data to the 'cache.ini' file.

Finally, a remote user can reportedly call the 'ExecuteFile' function to execute existing programs on the target system, usually with root or SYSTEM level privileges. Combined with the ability to write arbitrary content to the 'cache.ini' file, a remote user can then execute arbitrary code on the target system, the report said.

A demonstration exploit example for the root/SYSTEM exploit for version 6.5 is available at:

http://www.phenoelit.de/hp/JetRoot_pl.txt

The vendor was reportedly notified on October 28, 2002.

Impact:   A remote user can write arbitrary content to a file on the target system.

A remote user can exexecute arbitrary programs on the target system, usually with root or SYSTEM level privileges.

A remote user can determine the installation path.

A remote user can obtain encrypted user passwords and can decrypt them.

A remote user can replay encrypted passwords to gain access to the system.

A remote user can submit certain commands without authenticating.

A remote user can access certain internal functions.

Solution:   No solution was available at the time of this entry.
Vendor URL:  h10010.www1.hp.com/wwpc-JAVA/offweb/vac/us/en/en/network_software/wja_overview.html (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:  Linux (Red Hat Linux), Linux (SuSE), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 30 2004 (Vendor Issues Fix) HP Web Jetadmin ExecuteFile Function Lets Remote Users Execute Programs With Root/SYSTEM Privileges
A fixed version is available.



 Source Message Contents

Subject:  Re: HP Web JetAdmin vulnerabilities.


Just a few more for HP Web JetAdmin 6.5 - I'm tired of waiting for HP and 
since the current version is way past 6.5, there is no point in hiding it 
any more :)

---[SNIP]---

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++-+>

[ Title ]
	Multiple vulnerabilities in HP Web JetAdmin

[ Authors ]
	FX		<fx@phenoelit.de>

	Phenoelit Group	(http://www.phenoelit.de)
	Advisroy	http://www.phenoelit.de/stuff/HP_Web_Jetadmin_advisory.txt

[ Affected Products ]
	Hewlett Packard (HP)  
			Web JetAdmin 6.5 on any platform

	Partially affected:
			Web JetAdmin 7.0 on any platform
			Web JetAdmin <=6.2 on any platform

	HP Bug ID:	SSRT2397
	CERT VU ID:	VU#606673

[ Vendor communication ]
        10/28/02        Initial Notification, security-alert@hp.com
                        *Note-Initial notification by Phenoelit
                        includes a CC: to cert@cert.org by default

        From there on, communication went back and forth, while the major 
	version went up and only a subset of the bugs was fixed.

[ Overview ]
	HP Web JetAdmin is an enterprise management system for large amounts
	of HP printers, print servers and their respective print queues. The
	service provides a web interface for administration, by default
	listening on port 8000. The web server (HP-Web-Server-3.00.1696) is a
	modular service supporting plugins and using .hts and .inc files for
	creation of active content.

	From the readme_en.txt file:
	 ''HP Web JetAdmin contains support for all HP JetDirect-connected
	   printers and plotters. This product allows users to manage HP
	   JetDirect-connected printers within their intranet using a
	   browser. In addition to this, HP Web JetAdmin has the ability
	   to discover and manage any non-HP printer that implements the
	   standard printer MIB (RFC 1759). If a peripheral includes an
	   embedded web server, HP Web JetAdmin provides a link to the
	   home page of the peripheral.''
	
	NOTE: (Historic, see initial date!)
	      Despite the fact that the HP web site still advertises it as
	      6.5, the Web JetAdmin you can currently download is 7.0. This
	      one features an Apache core and several improvements, including
	      SSL support with a vulnerable version of OpenSSL (0.9.6c).
	      Password decryption and direct calls of functions are still
	      possible, but some of the exploited functions are no longer
	      existing. 

[ Description ]
	Multiple vulnerabilities exist in the product. A short summary is
	outlined below:
	1  - Source disclosure of HTS and INC files
	2  - Real path disclosure of critical files
	3  - Critical files accessible through web server
	4  - User and Administrator password disclosure and decryption
	5  - User and Administrator password replay 
	6  - Root/Administrator password disclosure 
	7  - Denial of Service of the server due to input validation failure
	8  - Authentication circumvention on all functions
	9  - Direct access to methods of the server core and the plugins via
	     the HTTP Protocol
	10 - Input validation failure for strings written to files
	11 - Root/Administrator compromise due to all of the above
	12 - Hidden games (easter egg) in the application

[ Vulnerability details ]
	[ 1 ]
	The web server will disclose the contents of the scripts, if a dot (.)
	is added to the end of the request URL.
	Example:
	http://server:8000/plugins/hpjwja/script/devices_list.hts.

	[ 2 ]
	Any page that is generated by the .HTS scripts will include a HTML
	comment line with the location of the file framework.ini, which holds
	several critical entries. 
	Example:
	<!-- framework.ini F:\Program Files\HP Web JetAdmin\doc\plugins\framework\framework.ini -->

	[ 3 ]
	The file framework.ini is located inside the web root directory. Any
	unauthenticated user can access it. This file contains the encrypted
	(see below) passwords for all users, permissions for the respective
	users and other valuable information.
	Example:
	http://server:8000/plugins/framework/framework.ini

	[ 4 ] 
	HP Web JetAdmin uses it's own encryption. Passwords will be encrypted
	on client side before send to the server using a Java applet. The
	encryption is easily broken and reversible. 
	An encrypted username or password is transmitted and stored in the
	ASCII representation of hexadecimal numbers. Such a ciphertext looks
	like 6a206d14000a7c2bc3cd3358153cffb5. This string has three elements:
	- 6a206d14 is the initialization vector for the algorithm
	- 000a is the length of the encrypted data (and double the length of 
	  the clear text)
	- 7c2bc3cd3358153cffb5 is the actual encrypted data

	Encryption and decryption are performed by initializing a random
	number generator with the IV supplied in the string and performing an
	XOR operation with the encrypted data and the upper 8 bits of the 
	subsequently calculated random numbers. The following pseudo-code will
	be run:
	
	long v = IV;
	for(int i=0;i<strlen(code);i++){
		v = 31413L * v + 13849L & -1L;
		code[i]=code[i]^(char)(v >> 24);
	}

	As the result, the clear text will be in code[] as two-byte
	characters.
	
	[ 5 ]
	Because of the static nature of the encryption broken in point 4, an
	attacker can use password strings sniffed off the network and use them
	in selfmade HTTP requests to the service. This is commonly referred to
	as replay attack. 

	[ 6 ]
	When using services the host system provides only to administrative
	users (Administrator on Windows, root on UNIX), the web interface will
	require the user to enter the account data for this account. The
	entered username, password and (for Windows) the domain name are
	encrypted with the algorithm discussed in 4. Therefore, an attacker
	can sniff the strings off the network and decrypt the account
	information.

	[ 7 ]
	By modifying the "encrypted" string, an attacker can cause the service
	to lock up. As discussed in point 4, the second element in the string
	represents the length of the encrypted data. By replacing it with
	0xFFFF, the decryption function loops through the string until the
	index reaches -1, which never happend during tests and resulted in a
	completely frozen service.
	Example: 01010101FFFF02020202020202020202.

	[ 8 ]
	Access to the functionality of Web JetAdmin is usually done via HTTP
	POST requests. One of the variables always present is "obj". A typical
	request contains:
	obj=Framework:CheckPassword;Httpd:SetProfile(Profiles_Admin,password,$_pwd,$__framework_ini)
	By leaving out the element "Framework:CheckPassword;", HP Web JetAdmin
	will no longer validate the supplied password and immediately grant
	access to the function specified. 
	Example: 
	obj=Httpd:SetProfile(Profiles_Admin,password,$_pwd,$__framework_ini)

	[ 9 ]
	The "obj" variable discussed in 8 is actually used to call functions
	in the server core or any plugin. The server core and the plugins
	export functions to be used via HTTP. Therefore, an attacker can craft
	HTTP POST requests to use internal functions. Additionally, use of
	variables and grouping of function calls are possible. One can
	actually write little programs and submit them to the server for
	execution. Most of the functions deal with internal data structures
	and files of HP Web JetAdmin.
	Example: see 8

	[ 10 ]
	HP Web JetAdmin uses a file called "cache.ini" outside of the web
	root. This file will contain session settings for a specific session.
	The session is identified by a variable called __BrowserID submitted
	in every HTTP request of the session. The format of cache.ini is:
	---SNIP--
	[1234]
	Variable=Value
	NextVariable=NextValue

	[5678]
	...
	---SNIP--
	where 1234 and 5678 are the browser ID values. An attacker can
	influence the Variable=Value pairs through the call interface
	described in 9. By calling
	obj=Httpd:VarCacheSet(FX,MemberOfPhenoelit)&__BrowserID=0
	the following cache entry is created:
	[0]
	FX=MemberOfPhenoelit

	It is also possible to inject multiple lines at the beginning of the
	file by including HTTP encoded linefeed characters in the __BrowserID
	variable:
	&__BrowserID=%0aTest%20123%0a
	will create the following entry:
	[
	Test 123
	]

	[ 11 ]
	The Httpd core supports an exported function called "ExecuteFile".
	This function takes two or more parameters. The first one is the path
	where the file is located (leave blank for use of $PATH or %PATH%) and
	the second is the executable itself. Combined with the ability to
	write arbitrary content to a file in a known location (see 10,
	location known due to 2), an attacker can easily start a program of
	his choice. Since the service usually runs as root on UNIX or as
	SYSTEM on Windows, this gives full remote access to the server. 
	Example: see Example section below

	[ 12 ]
	The security issues described above are not the result of a lack of
	time in the development department. This is proven by the fact that
	HP Web Jetadmin is delivered including two games.
	A text based adventure game is available on the URI:
	/plugins/hpjwja/script/special.hts?waycool=notyou
	The HTS file special2.hts features a hangman game and a list of
	developers. 
	Hint: When playing the text adventure, throw the cat toy around to
	keep the bad kitty busy.

[ Example ]

	The root/SYSTEM exploit for 6.5 (NOT 7.0) can be found at:
	http://www.phenoelit.de/hp/JetRoot_pl.txt

[ Solution ]
	None known at this time. HP Web JetAdmin 7.0 fixes some of the
	problems - namely removed the ExecuteFile function - but most of the
	issues and the games are still there.

[ end of file ]

-- 
         FX           <fx@phenoelit.de>
      Phenoelit   (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC