This document is a technical advisory for a privilege escalation weakness found in HP Software Update as supplied with HP Photosmart 5520 e-ALL-IN-ONE series software. This document is being released in order to alert HP to the risk detailed below and to request remediation. Please note that this document may be subject to modification as new information becomes available.
Commissum Senior Consultant Liam Romanis identified a privilege escalation vulnerability in HP Software Update:
Poor file permissions on the “HP Software Update” directory and its contents permit non-administrative users to modify files to effect a privilege escalation attack.
HP Photosmart 5520 e-ALL-IN-ONE series software was installed on a Windows 7 Professional test system. The software installed had the following versions:
These files and the parent directory were found to be configured to allow users write permissions. For example:
c:\Program Files\HP\HP Software Update\hpwucli.exe BUILTIN\Users:(ID)(special access:)
It was discovered that “hpwuschd2.exe” ran automatically on user logon. Further that HP Software Update would run automatically every week by default. If an administrative user account logged on these processes would run with their permissions.
It was therefore possible to overwrite these files with malicious versions designed to make use of the privileges of an administrative user as follows:
A payload was generated using msfpayload:
sudo msfpayload windows/adduser user=’attacker’ pass=’Att4ck3r!’ WMIC=’true’ D > SoftwareUpdate.dll The file c:\program files\HP\HP Software Update\SoftwareUpdate.dllwas then overwritten with this malicious DLL.
When an administrator logged on and deliberately ran HP Software Update or during a weekly update the malicious code ran creating the ‘Attacker’ user account and adding this account to the local Administrators group. The user could then login using the Attacker account and gain administrator privileges.
This issues was addressed by an update of the HP Update Utility version 5.005.002.002. This version is currently available on HP.com at the following link:
The current web pack (driver and software bundle) specifically for the Photosmart 5520 also contains the latest update to HPU and can be found at:
|Liam Romanis||Discovery of weakness||04/01/2015|
|Liam Romanis||First Draft of Public and Vendor Advisories||27/03/2015|
|Boglarka Ronto||Peer Review||27/03/2015|
|Chris Jacobson (HP)||Provided patch information||06/05/2015|
|Liam Romanis||Update to advisory||06/05/2015|