Phenoelit Advisory [ Authors ] FX FtR kim0 DasIch Phenoelit Group (http://www.phenoelit.de) Advisory http://www.phenoelit.de/stuff/HP_Chai.txt [ Affected Products ] Hewlett Packard (HP) ChaiVM HP 9000 HP 4100 HP 45nn HP 8150 Possibly others using ChaiVM HP Bug ID: Not assigned CERT Vulnerability ID: 780747 [ Vendor communication ] 06/29/02 Initial Notification, security-alert@hp.com *Note-Initial notification by phenoelit includes a cc to cert@cert.org by default 06/29/02 RBL blocked delivery to security-alert@hp.com 06/29/02 Creation of ho-mail acocunt and resend 06/29/02 Auto-responder reply 07/01/02 Human contact, PGP exchange and ack. 07/01/02 Clarification of some details w/HP Sec people 07/19/02 Notification of intent to post publically in apx. 7 days. 07/23/02 Coordination for release date/times [ Overview ] ChaiVM is used in networked appliances such as printers, mobile computing devices, and other mobile or fixed networked embedded hardware. [ Description ] Two vulnerabilites exist. 1. Access to the file system hosting ChaiVM will allow any user to add, delete, or modify services hosted by the ChaiServer. This is especially appliciable in cases where the file is accessible through the network using PJL. 2. The default loader (this.loader) will verify JAR signatures. HP released an advanced loader (EZloader, this.ez), which in turn, is signed by HP and does not verify signatures for new services. The result of these vulnerabilites will allow any network user to add additional Chai Services. [ Example ] Sample (exploit) code to be released after 30 July 2002 on site. [ Solution ] None known at this time. [ end of file ]