Re: HP Web JetAdmin vulnerabilities.

[Samuel Walker <jackwalker () nc rr com>]

In-Reply-To: <20040427094201.GA492 () echelon cluster phenoelit de>

Hi there BugTraq,
 Your article about the vulnerabilities of HP WebJetAdmin caught my attention as I use HP WebJetAdmin 7.5 to manage 
about 30 network printers. It is a great tool. However, though I have not investigated all the issues that you reported 
to be vulnerable to Hp WebJetAdmin 6.5 and 7.x, I did check on the 'hidden game' thing that your mentioned. There two 
caveats that I would like to state first though, that may be different from the installation that you are working with. 
First, when I installed HP JetAdmin 6.5 and then later upgraded to 7.2 and then to 7.5, choosed to enable on the https 
version of HP WebJetAdmin on the ssl port, and integrated the securities with my desktop securities. 
Second, I only run (enable the service) when I need to as when I periodically check the status of the printers or when 
I need to configure the settings or securities of a new printer. After, that I turn the service back off and have it 
set for manual starting. I have this to be means of safeguarding my system even with the vulnerabilities that you 
mentioned. 

Again, I have not verified the weaknesses that you mentioned yet, but I did try to located the hidden game ( 
special.hts) file that you listed. Apparently, because of the way that I have things setup using SSL and intergrated 
windows login authentication, my installation does not have this file that your mentioned. I checked my install 
directory for this application, and I did not find a special.hts file. I found other special_*.hts files but when I 
view these files in notepad these appear to be scripts for converting the older printer objects from previous 
installation of hp jetadmin to the newer styles and objects in 7.5. No apparent hidden games here. Granted your post 
refers to 6.5 and 7.0 versions, so maybe before I installed 7.5 these did exist. Come to think about it, as I recall, 
during my upgrade to 7.5, I actually had to remove my older versions completely in order to install the new version 7.5 
without any problems. 7.5 was able to retain my original custom setting
 s and filters and thus merge these into 7.5, but maybe removing the older version first assisted with getting rid of 
some of the plugin files that caused some of the weakness. 

Have you tried HP Jet Admin 7.5 yet? If so, how does it compare to the list of vulnerabilities that you mentioned? 
Also, I know that it is sometimes hard to find what you need through HP Download and support site. At the time that I 
upgrading to 7.5, it took me forever to find all the add-on updates that I needed. Even the Support Center kept 
redirecting me to 6.5 and 7.2 version help documentation. Eventually though I found the 7.5 upgrade installer and 
companion files and was able to update my installation. 

Happy Bug Hunting.
SJW 

> Received: (qmail 12371 invoked from network); 27 Apr 2004 16:18:29 -0000
> Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 27 Apr 2004 16:18:29 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>       by outgoing.securityfocus.com (Postfix) with QMQP
>       id BA4B7143829; Tue, 27 Apr 2004 18:14:23 -0600 (MDT)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 14057 invoked from network); 27 Apr 2004 03:32:24 -0000
> Date: Tue, 27 Apr 2004 11:42:01 +0200
> From: FX <fx () phenoelit de>
> To: bugtraq () securityfocus com
> Cc: sflist () digitaloffense net
> Subject: Re: HP Web JetAdmin vulnerabilities.
> Message-ID: <20040427094201.GA492 () echelon cluster phenoelit de>
> Mail-Followup-To: bugtraq () securityfocus com,
>       sflist () digitaloffense net
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Organization: Phenoelit (http://www.phenoelit.de/)
> X-Operating-System: Robotron Z9001
> X-Mailer: socket()
>
> Just a few more for HP Web JetAdmin 6.5 - I'm tired of waiting for HP and 
> since the current version is way past 6.5, there is no point in hiding it 
> any more :)
>
> ---[SNIP]---
>
> Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++-+>
>
> [ Title ]
>       Multiple vulnerabilities in HP Web JetAdmin
>
> [ Authors ]
>       FX              <fx () phenoelit de>
>
>       Phenoelit Group (http://www.phenoelit.de)
>       Advisroy        http://www.phenoelit.de/stuff/HP_Web_Jetadmin_advisory.txt
>
> [ Affected Products ]
>       Hewlett Packard (HP)  
>                       Web JetAdmin 6.5 on any platform
>
>       Partially affected:
>                       Web JetAdmin 7.0 on any platform
>                       Web JetAdmin <=6.2 on any platform
>
>       HP Bug ID:      SSRT2397
>       CERT VU ID:     VU#606673
>
> [ Vendor communication ]
>        10/28/02        Initial Notification, security-alert () hp com
>                        *Note-Initial notification by Phenoelit
>                        includes a CC: to cert () cert org by default
>
>        From there on, communication went back and forth, while the major 
>       version went up and only a subset of the bugs was fixed.
>
> [ Overview ]
>       HP Web JetAdmin is an enterprise management system for large amounts
>       of HP printers, print servers and their respective print queues. The
>       service provides a web interface for administration, by default
>       listening on port 8000. The web server (HP-Web-Server-3.00.1696) is a
>       modular service supporting plugins and using .hts and .inc files for
>       creation of active content.
>
>       From the readme_en.txt file:
>        ''HP Web JetAdmin contains support for all HP JetDirect-connected
>          printers and plotters. This product allows users to manage HP
>          JetDirect-connected printers within their intranet using a
>          browser. In addition to this, HP Web JetAdmin has the ability
>          to discover and manage any non-HP printer that implements the
>          standard printer MIB (RFC 1759). If a peripheral includes an
>          embedded web server, HP Web JetAdmin provides a link to the
>          home page of the peripheral.''
>       
>       NOTE: (Historic, see initial date!)
>             Despite the fact that the HP web site still advertises it as
>             6.5, the Web JetAdmin you can currently download is 7.0. This
>             one features an Apache core and several improvements, including
>             SSL support with a vulnerable version of OpenSSL (0.9.6c).
>             Password decryption and direct calls of functions are still
>             possible, but some of the exploited functions are no longer
>             existing. 
>
> [ Description ]
>       Multiple vulnerabilities exist in the product. A short summary is
>       outlined below:
>       1  - Source disclosure of HTS and INC files
>       2  - Real path disclosure of critical files
>       3  - Critical files accessible through web server
>       4  - User and Administrator password disclosure and decryption
>       5  - User and Administrator password replay 
>       6  - Root/Administrator password disclosure 
>       7  - Denial of Service of the server due to input validation failure
>       8  - Authentication circumvention on all functions
>       9  - Direct access to methods of the server core and the plugins via
>            the HTTP Protocol
>       10 - Input validation failure for strings written to files
>       11 - Root/Administrator compromise due to all of the above
>       12 - Hidden games (easter egg) in the application
>
> [ Vulnerability details ]
>       [ 1 ]
>       The web server will disclose the contents of the scripts, if a dot (.)
>       is added to the end of the request URL.
>       Example:
>       http://server:8000/plugins/hpjwja/script/devices_list.hts.
>
>       [ 2 ]
>       Any page that is generated by the .HTS scripts will include a HTML
>       comment line with the location of the file framework.ini, which holds
>       several critical entries. 
>       Example:
>       <!-- framework.ini F:\Program Files\HP Web JetAdmin\doc\plugins\framework\framework.ini -->
>
>       [ 3 ]
>       The file framework.ini is located inside the web root directory. Any
>       unauthenticated user can access it. This file contains the encrypted
>       (see below) passwords for all users, permissions for the respective
>       users and other valuable information.
>       Example:
>       http://server:8000/plugins/framework/framework.ini
>
>       [ 4 ] 
>       HP Web JetAdmin uses it's own encryption. Passwords will be encrypted
>       on client side before send to the server using a Java applet. The
>       encryption is easily broken and reversible. 
>       An encrypted username or password is transmitted and stored in the
>       ASCII representation of hexadecimal numbers. Such a ciphertext looks
>       like 6a206d14000a7c2bc3cd3358153cffb5. This string has three elements:
>       - 6a206d14 is the initialization vector for the algorithm
>       - 000a is the length of the encrypted data (and double the length of 
>         the clear text)
>       - 7c2bc3cd3358153cffb5 is the actual encrypted data
>
>       Encryption and decryption are performed by initializing a random
>       number generator with the IV supplied in the string and performing an
>       XOR operation with the encrypted data and the upper 8 bits of the 
>       subsequently calculated random numbers. The following pseudo-code will
>       be run:
>       
>       long v = IV;
>       for(int i=0;i<strlen(code);i++){
>               v = 31413L * v + 13849L & -1L;
>               code[i]=code[i]^(char)(v >> 24);
>       }
>
>       As the result, the clear text will be in code[] as two-byte
>       characters.
>       
>       [ 5 ]
>       Because of the static nature of the encryption broken in point 4, an
>       attacker can use password strings sniffed off the network and use them
>       in selfmade HTTP requests to the service. This is commonly referred to
>       as replay attack. 
>
>       [ 6 ]
>       When using services the host system provides only to administrative
>       users (Administrator on Windows, root on UNIX), the web interface will
>       require the user to enter the account data for this account. The
>       entered username, password and (for Windows) the domain name are
>       encrypted with the algorithm discussed in 4. Therefore, an attacker
>       can sniff the strings off the network and decrypt the account
>       information.
>
>       [ 7 ]
>       By modifying the "encrypted" string, an attacker can cause the service
>       to lock up. As discussed in point 4, the second element in the string
>       represents the length of the encrypted data. By replacing it with
>       0xFFFF, the decryption function loops through the string until the
>       index reaches -1, which never happend during tests and resulted in a
>       completely frozen service.
>       Example: 01010101FFFF02020202020202020202.
>
>       [ 8 ]
>       Access to the functionality of Web JetAdmin is usually done via HTTP
>       POST requests. One of the variables always present is "obj". A typical
>       request contains:
>       obj=Framework:CheckPassword;Httpd:SetProfile(Profiles_Admin,password,$_pwd,$__framework_ini)
>       By leaving out the element "Framework:CheckPassword;", HP Web JetAdmin
>       will no longer validate the supplied password and immediately grant
>       access to the function specified. 
>       Example: 
>       obj=Httpd:SetProfile(Profiles_Admin,password,$_pwd,$__framework_ini)
>
>       [ 9 ]
>       The "obj" variable discussed in 8 is actually used to call functions
>       in the server core or any plugin. The server core and the plugins
>       export functions to be used via HTTP. Therefore, an attacker can craft
>       HTTP POST requests to use internal functions. Additionally, use of
>       variables and grouping of function calls are possible. One can
>       actually write little programs and submit them to the server for
>       execution. Most of the functions deal with internal data structures
>       and files of HP Web JetAdmin.
>       Example: see 8
>
>       [ 10 ]
>       HP Web JetAdmin uses a file called "cache.ini" outside of the web
>       root. This file will contain session settings for a specific session.
>       The session is identified by a variable called __BrowserID submitted
>       in every HTTP request of the session. The format of cache.ini is:
>       ---SNIP--
>       [1234]
>       Variable=Value
>       NextVariable=NextValue
>
>       [5678]
>       ...
>       ---SNIP--
>       where 1234 and 5678 are the browser ID values. An attacker can
>       influence the Variable=Value pairs through the call interface
>       described in 9. By calling
>       obj=Httpd:VarCacheSet(FX,MemberOfPhenoelit)&__BrowserID=0
>       the following cache entry is created:
>       [0]
>       FX=MemberOfPhenoelit
>
>       It is also possible to inject multiple lines at the beginning of the
>       file by including HTTP encoded linefeed characters in the __BrowserID
>       variable:
>       &__BrowserID=%0aTest%20123%0a
>       will create the following entry:
>       [
>       Test 123
>       ]
>
>       [ 11 ]
>       The Httpd core supports an exported function called "ExecuteFile".
>       This function takes two or more parameters. The first one is the path
>       where the file is located (leave blank for use of $PATH or %PATH%) and
>       the second is the executable itself. Combined with the ability to
>       write arbitrary content to a file in a known location (see 10,
>       location known due to 2), an attacker can easily start a program o