[unisog] Crackers Targeting Web JetAdmin 6.5 Vulnerability

Brian Eckman eckman at umn.edu
Fri May 14 18:03:34 GMT 2004


Just an FYI: We had a computer on campus that was broken into yesterday 
via a vulnerability in HP Web JetAdmin 6.5 (default port of 8000/tcp). 
The specific vulnerability is referenced at the following URL:

http://www.securitytracker.com/alerts/2004/Apr/1009960.html

There is a link in that advisory to the exploit code that appears to 
have been used. The vulnerability was exploited to write a x.txt file to 
the root of the C: drive, and then call the Windows command line ftp 
program to execute the commands listed in the x.txt file. That 
downloaded the backdoor kit, which they then executed via the same Web 
JetAdmin flaw.

The backdoor kit that was downloaded was just under 1MB, and when run, 
extracts several files to C:\recycler, including nc.exe (netcat), 
win.exe (ServU and apparently an IRC bot), the ServU configuration files 
and such. Some time afterward, r_admin was downloaded and installed to 
listen on 4899/tcp.

In this case, the x.txt file and the kit (flash.exe) were left in the 
root of the C: drive, they had nc.exe (netcat) binding cmd.exe to 
3112/tcp, had ServU FTP server listening on 1986/tcp, and had r_admin 
listening on port 4899/tcp. The FTP Server and R_admin were services 
that were listed in the control panel's Services applet (the win.exe was 
listed as "Serv-U FTP Server", the r_admin seemed to be the default 
value, which I don't recall).

In the next hour of infection, our infected host appears to have 
downloaded several other 1 MB files from various locations, apparently 
as part of a speed test. However, this computer was not yet prepped for 
Warez[1], so the motive is still unclear. Also, the cmd.exe backdoor on 
port 3112/tcp was access one time early in the exploitation, but does 
not seem to play a key role.

Upgrading to version 7.5 of Web JetAdmin reportedly fixes the flaw that 
was exploited. The home page for this product is:
http://h10010.www1.hp.com/wwpc-JAVA/offweb/vac/us/en/en/network_software/wja_overview.html

Anyway, I thought I would share this information. It's important to 
remember that not only the high-profile stuff like MS04-011 is being 
exploited. Any low-hanging fruit is game.


Brian

[1] - The FTP Server had only one username, "admin" whose home dir was 
C:\. There was no other directory structure found, specifically none 
with aux1, nul, com, etc. as part of the directory name. This of course 
does not count out Warez; I'm just pointing out that it doesn't point at 
Warez. I ran the flash.exe in a test environment, and it joined a 
channel on irc.after-all.org. The channel was silent except for bots 
joining, quitting and phoning home that they successfully uploaded a 
file, stuff like that. So, the channel itself didn't appear to be Warez, 
but there are other channels on the server that are, and these *could* 
eventually be migrated over.

-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota




More information about the unisog mailing list