Uninformed: Informative Information for the Uninformed

Vol 9» 2008.Jan

HP Info Center

On December 12th, 2007, a vulnerability in an ActiveX control which was shipped by default with multiple series of Hewlett Packard notebooks was disclosed. The issue itself was found in a piece of software called the HP Info Center. The vulnerability allowed remote read and write access to the registry as well as the execution of arbitrary commands. By instantiating this control in Internet Explorer and calling the vulnerable functions it was possible to run software with the same level of access as the user running IE. Porkythepig found and disclosed this serious threat and wrote a detailed report as well as a sample exploit covering three attack vectors.

The HP control with the CLSID 62DDEB79-15B2-41E3-8834-D3B80493887A was responsible for the listed vulnerabilities. By default it installs itself into C:\Program Files\Hewlett-Packard\HP Info Center. In his advisory, porky listed three potentially insecure methods as well as the expected parameters:

  • VARIANT GetRegValue(String sHKey, String sectionName, String keyName);
  • void SetRegValue(String sHKey, String sSectionName, String sKeyName, String sValue);
  • void LaunchApp(String appPath, String params, int cmdShow);

While the first and second method allow for remote read and write access to the registry, the third function runs arbitrary programs. For example, an attacker could execute cmd.exe with arbitrary arguments.

In this example the vulnerable control provided remote access to the victims machine. Sample code to exploit all three functions can once again be found on Milw0rm: http://www.milw0rm.com/exploits/4720.