--
kim0 <kim0@phenoelit.de>
Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0 FBEF 2D72 33C0 77FC CD42
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-->
[ Authors ]
FX <fx@phenoelit.de>
FtR <ftr@phenoelit.de>
kim0 <kim0@phenoelit.de>
DasIch <DasIch@phenoelit.de>
Phenoelit Group (http://www.phenoelit.de)
Advisory http://www.phenoelit.de/stuff/HP_Chai.txt
[ Affected Products ]
Hewlett Packard (HP) ChaiVM
HP 9000
HP 4100
HP 45nn
HP 8150
Possibly others using ChaiVM
HP Bug ID: Not assigned
CERT Vulnerability ID: 780747
[ Vendor communication ]
06/29/02 Initial Notification, security-alert@hp.com
*Note-Initial notification by phenoelit
includes a cc to cert@cert.org by default
06/29/02 RBL blocked delivery to security-alert@hp.com
06/29/02 Creation of ho-mail acocunt and resend
06/29/02 Auto-responder reply
07/01/02 Human contact, PGP exchange and ack.
07/01/02 Clarification of some details w/HP Sec people
07/19/02 Notification of intent to post publically in
apx. 7 days.
07/23/02 Coordination for release date/times
[ Overview ]
ChaiVM is used in networked appliances such as printers, mobile
computing devices, and other mobile or fixed networked embedded hardware.
[ Description ]
Two vulnerabilites exist.
1. Access to the file system hosting ChaiVM will allow any user to
add, delete, or modify services hosted by the ChaiServer.
This is especially appliciable in cases where the file is accessible
through the network using PJL.
2. The default loader (this.loader) will verify JAR signatures.
HP released an advanced loader (EZloader, this.ez), which in turn,
is signed by HP and does not verify signatures for new services.
The result of these vulnerabilites will allow any network user to
add additional Chai Services.
[ Example ]
Sample (exploit) code to be released after 30 July 2002 on site.
[ Solution ]
None known at this time.
[ end of file ]
