Challenge: This afternoon, a co-worker came to me and ask my help to retrieve her forgotten admin password for HP Web JetAdmin login. The situation was that she had been using another created profile too often to remember the default admin account logon credential. She tried the default password ‘admin’ but it did not work.

First, I asked whether this software uses any database to store password since I thought we can open any database tables. She said there was a MS SQL server installed on the server but she did not think we are using the database server now.

Then I figured it might use the flat file to store such user credential information, even I trusted such big company as HP would not do so. But anyway, I asked to take a look at the Web Jetadmin server. And I hope I can figure something more out from the web server logon script.

After we got on the Web Jetadmin server, we had a surprising discovery. Under the HP Web Jetadmin program installation folder “c:/program files/HP Web Jetadmin/“, there was a folder called “auth”. Does not it mean “hey, hacker, come here to take a look, I might have what you are looking for – the passwords”? And it IS really what it meant. I found a file named local.users and I could open it with Notepad. In that file, there are lines with “admin: xxxx — 6a206d14000a7c2bc3cd3358153cffb5″. Ah, is not that the password we were looking for?

[updated according to derkeiler.com]

This password string has three elements:
- 6a206d14 is the initialization vector for the algorithm
- 000a is the length of the encrypted data (and double the length of the clear text)
- 7c2bc3cd3358153cffb5 is the actual encrypted data

Of course, some smart HP engineers thought who would figure out the passwords if they encrypted them. Yeah, they almost got us. After we saw these encrypted text, my co-worker was sad and said she would have to ask HP for the support.

But wait, I still get her admin password back even it has been encrypted.

Solution:

1. Locate the users credential file under the program installation directory. Ours is on C:/program files/HP Web Jetadmin.
2. After make a backup copey, then use any text editor (I prefer WordPad) to open the ~/auth/local.user (not sure the file name is local.users or local.user) file.
3. Since we have more than two accounts in that file, and she knows another non-admin account’s password (say, user1), I just copy everything after user1: and paste it after admin:.
4. Launch HP Web Jetadmin web URL, and use admin as the username, and whatever she used for her second user user1 as the password. And voila, we just got in!

Well, HP will say: hi, you just assume you already knew another account/password. Otherwise, how can you de-crypt my admin password.

Really, how about I just paste whatever the encrypted password I used to access to HP Web Jetadmin on the Internet, and tell everyone what it meant in plain text. Then anyone can open the local.user file and paste it as the admin password. Is not that Great, or Scared?

Updated on 01/29/2008: After checking the Internet, and find http://www.derkeiler.com/Mailing-Lists/Securiteam/2004-04/0106.html is talking about HP Web Jetadmin security issues. Some of them mentioned about the “password disclosure and decryption”.

Tags: hack, HP, password, security, Web Jetadmin