HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution

2011.08.26
Credit: HP
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02949847 Version: 1 HPSBPI02698 SSRT100404 rev.1 - HP Easy Printer Care Software Running on Windows, \ Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as \ possible. Release Date: 2011-08-08 Last Updated: 2011-08-08 Potential Security Impact: Remote execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Easy Printer Care \ Software Running on Windows. The vulnerability can be remotely exploited to write \ arbitrary files to the system and execute them via the browser. References: CVE-2011-2404 , ZDI-CAN-1092 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Easy Printer Care Software v2.5 and earlier for Windows XP and Vista. This Windows \ software could be used in conjunction with the following Laser Jet and Color Laser \ Jet printer models: Laser Jet P1005 / P1006 / P1007 / P1008 Laser Jet 1010 / 1012 / 1015 Laser Jet P1102 / P1102w Laser Jet M1120 / M1120n Laser Jet Pro M1132 / M1134 / M1136 / M1137 / M1138 / M1139 Laser Jet 1150 Laser Jet 1160 Laser Jet Pro M1212nf / M1213nf / N1214nfh / M1216nfh / M1217nfw / M1219nf Laser Jet 1300 Laser Jet 1320 Laser Jet P1505 Laser Jet 2100 Laser Jet 2200 Laser Jet 2300 / 2300L Laser Jet 2410 / 2420 / 2430 Laser Jet 3015 All-in-one Laser Jet 3020/3030 All-in-one Laser Jet 3050Z All-in-one Laser Jet 3380 All-in-one Laser Jet M3035mfp Laser Jet 4000 Laser Jet 4050 Laser Jet 4100 Laser Jet 4100mfp Laser Jet 4200 / 4240 / 4250 Laser Jet 4300 / 4350 Laser Jet M4345mfp Laser Jet 4345mfp Laser Jet 5000 Laser Jet M5035mfp Laser Jet 5100 Laser Jet 5200 / Laser Jet 5200L Laser Jet 8000 Laser Jet 8000mfp Laser Jet 8100 / 8150 Laser Jet 9000 Laser Jet 9000mfp / 9000Lmfp Laser Jet 9040 / 9050 Laser Jet 9040mfp / 9050mfp / 9055mfp / 9065mfp Color Laser Jet CP 1215 / 1217 Color Laser Jet CP 1514n / 1515n / 1518ni Color Laser Jet 2500 Color Laser Jet 2550 Color Laser Jet 2820 / 2840 All-in-one Color Laser Jet 3000* Color Laser Jet 3500 / 3550 Color Laser Jet 3600 Color Laser Jet 3700 Color Laser Jet 3800* Color Laser Jet4500 Color Laser Jet 4550 Color Laser Jet 4600 / 4610 / 4650 Color Laser Jet 4700* Color Laser Jet 4730mfp* Color Laser Jet 5500 / 5550 Color Laser Jet 8500 Color Laser Jet 8550 Color Laser Jet 9500 Color Laser Jet 9500mfp BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2011-2404 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP Easy Printer Care Software v2.5 and earlier for Windows XP and Vista is no longer \ available from HP. HP Easy Printer Care Software is no longer supported by HP. HP Recommends this software be uninstalled from the system as soon as possible. The HPTicketMgr.dll ActiveX control that is vulnerable is CLSID \ 466576F3-19B6-4FF1-BD48-3E0E1BFB96E9 , If the software is not uninstalled, HP \ recommends setting the kill bit for the vulnerable ActiveX control Class identifier \ (CLSID) {466576F3-19B6-4FF1-BD48-3E0E1BFB96E9} . The kill bit is set by modifying the \ data value of the Compatibility Flags DWORD value for the CLSID of this ActiveX \ control to 0x00000400. This is explained in Microsoft's article KB240797 or \ subsequent. http://support.microsoft.com/kb/240797 HISTORY Version:1 (rev.1) - 8 August 2011 Initial release Third Party Security Patches: Third party security patches that are to be installed \ on systems running HP software products should be applied in accordance with the \ customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, \ send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts \ via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Software Product Category: The Software Product Category is represented in the title \ by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or \ omissions contained herein. The information provided is provided "as is" without \ warranty of any kind. To the extent permitted by law, neither HP or its affiliates, \ subcontractors or suppliers will be liable for incidental,special or consequential \ damages including downtime cost; lost profits;damages relating to the procurement of \ substitute products or services; or damages for loss of data, or software \ restoration. The information in this document is subject to change without notice. \ Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein \ are trademarks of Hewlett-Packard Company in the United States and other countries. \ Other product and company names mentioned herein may be trademarks of their \ respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk4/+yMACgkQ4B86/C0qfVla+ACfcT6KHWbvrI+dy+WBmgOxbrrE nIkAoM98H9S+nAgTd6HMVU3bDdrFDepT =BMGp -----END PGP SIGNATURE-----

References:

http://marc.info/?l=bugtraq&m=131291471508119&w=2
http://marc.info/?l=bugtraq&m=131291471508119&w=2


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top