[Snort-sigs] New Sid: MISC HP Web JetAdmin ExecuteFile admin access
talex at ...2704...
Wed Aug 4 13:37:40 EDT 2004
After a cursory look in the sids db and mailing list archives, I don't
believe this one's in existence yet (or maybe I've missed it). Perhaps
you've considered it in the past and it wasn't deemed worthy of a unique
sid? I thought it might be as other HP Web JetAdmin sids (2547, 2548,
and 2549) already exist. I've successfully tested this signature by
exploiting an HP WebJetAdmin v6.5 running on a Win2k Pro platform. I
suspect the Linux exploit would trigger the signature as well.
This is my first time submitting one of these so I hope I have the
correct information (as per the required template). Please note that I
have kept some of the similar text in sids 2547, 2548, and 2548 to
maintain some consistency. Lemme know if you have any
MISC HP Web JetAdmin ExecuteFile admin access
alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin
ExecuteFile admin access"; flow:to_server,established;
content:"ExecuteFile”; nocase; reference:bugtraq,10224;
classtype:attempted-admin; sid:????; rev:1;)
This event is generated when an attempt is made to exploit a vulnerability
associated with an HP WebJetAdmin web server.
A successful attack may allow the execution of arbitrary code as root on
UNIX and SYSTEM on Windows on a vulnerable server.
The HP Web JetAdmin application allows users to manage HP
JetDirect-connected printers within their intranet using a browser. The
httpd core supports an exported function called ExecuteFile. A
vulnerability exists that allows the uploading and execution of
unauthorized files by posting a malicious http request with the script
/plugins/framework/script/content.hts in conjunction with ExecuteFile
function to the web server. Discovery of the vulnerability is credited
to FX of Phenoelit <
HP Web JetAdmin 6.5.
An attacker can create upload and execute a malicious file on a
Ease of Attack:
If you think this rule has a false positives, please help fill it out.
The default HP Web JetAdmin port is 8000. If an administrator selects a
on which to run the web server, no alert will be detected. In that case,
should be altered to reflect the port on which the web server runs.
If you think this rule has false negatives, please help fill it out.
Upgrade to the latest non-affected version of the software.
HP Bug ID: SSRT2397
More information about the Snort-sigs