HP Easy Printer Care Software ActiveX Control Remote Code Execution Vulnerabilities

high Nessus Plugin ID 55832

Synopsis

An ActiveX control on the remote Windows host could allow arbitrary remote code execution.

Description

The version of the HPTicketMgr.dll ActiveX control, part of HP Easy Printer Care Software and installed on the remote Windows host, is affected by several vulnerabilities :

- The 'SaveXML()' method in the XMLSimpleAccessor class ActiveX control is prone to a directory traversal attack and can be abused to write arbitrary files to the system and then execute them through the browser.
(CVE-2011-2404)

- The 'CacheDocumentXMLWithId()' method in the XMLCacheMgr class ActiveX control is prone to a directory traversal attack and can be abused to write malicious content to the filesystem. (CVE-2011-4786)

- The 'LoadXML()' method in the XMLSimpleAccessor class ActiveX control is affected by a heap-based buffer overflow vulnerability. (CVE-2011-4787)

If an attacker can trick a user on the affected host into visiting a specially crafted web page, these issues could be leverage to execute arbitrary code on the host subject to the user's privileges.

Solution

Either uninstall the software as it is no longer supported by HP or set the kill bit for the affected control.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-11-261/

https://www.zerodayinitiative.com/advisories/ZDI-12-013/

https://www.zerodayinitiative.com/advisories/ZDI-12-014/

https://seclists.org/fulldisclosure/2011/Aug/141

https://www.securityfocus.com/archive/1/519191/30/0/threaded

https://www.securityfocus.com/archive/1/521230/30/0/threaded

https://seclists.org/bugtraq/2012/Jan/85

https://seclists.org/bugtraq/2012/Jan/86

Plugin Details

Severity: High

ID: 55832

File Name: hpticketmgr_activex.nasl

Version: 1.21

Type: local

Agent: windows

Family: Windows

Published: 8/12/2011

Updated: 11/15/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.0

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:hp:easy_printer_care_software

Required KB Items: SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 8/8/2011

Exploitable With

CANVAS (D2ExploitPack)

Core Impact

Metasploit (HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution)

Reference Information

CVE: CVE-2011-2404, CVE-2011-4786, CVE-2011-4787

BID: 49100, 51396, 51400