CSIS-RI-0003: Multiple buffer overflow vulnerabilities in HP ActiveX



Multiple buffer overflow vulnerabilities in HP Software



Hewlett-Packard (HP) is the world's largest PC dealer. According to IDC, HP shipped 14.7 million units worldwide, a 23.3 percent year-over-year growth and a 19 percent market share.



PC's and laptops from HP are often shipped with preinstalled software running on Microsoft Windows. The software is designed so the end-user can keep drivers and HP software automatically updated. This is done through a ActiveX plugin for Microsoft Internet Explorer.



CSIS have discovered multiple high-risk vulnerabilities in several parts of that specific software. The affected component are found preinstalled on a broad range of HP equipment but are also installed when a end user visits HP webpage in order to access software updates such as applications, drivers and firmware for multiple HP products.



We have discovered eight different vulnerabilities of which five should be considered highly critical since they allow remote code execution.



At least five of these vulnerabilities have been confirmed to work in a typical drive-by scenario. All it takes to exploit is to lure a user into visiting a hostile and specifically crafted website. The attack could also be done through SQL and HTML injection. This would allow, if the system is found vulnerable, to run arbitrary code and take complete control of the system or at least with the privileges of the logged on user. In order for this scenario to work it would only require one of the affected ActiveX objects to be installed and Active scripting to be enabled in Microsoft Internet Explorer, which it is by default.



The vulnerability was discovered and reported by Dennis Rand from CSIS Security Group.



HP has released an advisory and update to address these vulnerabilities.

HP Instant Support HPISDataManager.dll Running on Windows, Remote Execution of Arbitrary Code

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01422264



Technical advisory with PoC can be downloaded here:

http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf



Relevant Pages

  • CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities
    ... Title: CDNetworks Nefficient DownloadVulnerabilities ... Impact: Remote Code Execution ... a attacker can copy a malicious file to any path such as start program ... this ActiveX or obtain a valid keycode which is correct to your site. ...
    (Bugtraq)
  • Re: RTHDCPL.EXE - Illegal System DLL Relocation
    ... Vulnerabilities in GDI Could Allow Remote Code Execution ... 'Microsoft Security Bulletin MS07-017: Vulnerabilities in GDI Could ... "The system DLL user32.dll was relocated in memory. ...
    (microsoft.public.windowsxp.general)
  • Re: [Full-disclosure] Month of ActiveX Bug
    ... They found a DoS and truly have no idea whether or not it can cause ... remote code execution due to not having the knowledge/skills necessary to ... vulnerabilities, but it is a vulnerability nonetheless. ... allows remote attackers to cause a denial of service and possibly ...
    (Full-Disclosure)
  • Re: OT: Gone from topic, now on security Re: For PGP Users-Likes and Dislikes of PGP
    ... releases monthly this is a reasonable timeframe) there has been 1 ... You only asked for vulnerabilities in OE, ... little memory corruption vulnerability which allows remote code execution. ... Due to inherit of all IE flaws, ...
    (comp.security.misc)
  • Re: security update problem
    ... Vulnerabilities in Macromedia Flash Player from Adobe could allow ...
    (microsoft.public.windowsxp.general)