[Snort-sigs] New Sid: MISC HP Web JetAdmin ExecuteFile admin access

Thomas Alex talex at ...2704...
Wed Aug 4 13:37:40 EDT 2004

After a cursory look in the sids db and mailing list archives, I don't 
believe this one's in existence yet (or maybe I've missed it). Perhaps 
you've considered it in the past and it wasn't deemed worthy of a unique 
sid? I thought it might be as other HP Web JetAdmin sids (2547, 2548, 
and 2549) already exist. I've successfully tested this signature by 
exploiting an HP WebJetAdmin v6.5 running on a Win2k Pro platform. I 
suspect the Linux exploit would trigger the signature as well.

This is my first time submitting one of these so I hope I have the 
correct information (as per the required template). Please note that I 
have kept some of the similar text in sids 2547, 2548, and 2548 to 
maintain some consistency. Lemme know if you have any 
questions...Thanks, Tom

MISC HP Web JetAdmin ExecuteFile admin access
alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin 
ExecuteFile admin access"; flow:to_server,established; 
content:"/plugins/framework/script/content.hts"; nocase; 
content:"ExecuteFile”; nocase; reference:bugtraq,10224; 
classtype:attempted-admin; sid:????; rev:1;)
This event is generated when an attempt is made to exploit a vulnerability
associated with an HP WebJetAdmin web server.
A successful attack may allow the execution of arbitrary code as root on 
UNIX and SYSTEM on Windows on a vulnerable server.
Detailed Information:
The HP Web JetAdmin application allows users to manage HP 
JetDirect-connected printers within their intranet using a browser. The 
httpd core supports an exported function called ExecuteFile. A 
vulnerability exists that allows the uploading and execution of 
unauthorized files by posting a malicious http request with the script 
/plugins/framework/script/content.hts in conjunction with ExecuteFile 
function to the web server. Discovery of the vulnerability is credited 
to FX of Phenoelit < 
Affected Systems:
HP Web JetAdmin 6.5.
Attack Scenarios:
An attacker can create upload and execute a malicious file on a 
vulnerable server.
Ease of Attack:
False Positives:
If you think this rule has a false positives, please help fill it out.
False Negatives:
The default HP Web JetAdmin port is 8000. If an administrator selects a 
different port
on which to run the web server, no alert will be detected. In that case, 
the rule
should be altered to reflect the port on which the web server runs.
If you think this rule has false negatives, please help fill it out.
Corrective Action:
Upgrade to the latest non-affected version of the software.

Additional References:
HP Bug ID: SSRT2397

More information about the Snort-sigs mailing list