HP Software Update Privilege Escalation Vulnerability


This document is a technical advisory for a privilege escalation weakness found in HP Software Update as supplied with HP Photosmart 5520 e-ALL-IN-ONE series software. This document is being released in order to alert HP to the risk detailed below and to request remediation. Please note that this document may be subject to modification as new information becomes available.


Commissum Senior Consultant Liam Romanis identified a privilege escalation vulnerability in HP Software Update:

Poor file permissions on the “HP Software Update” directory and its contents permit non-administrative users to modify files to effect a privilege escalation attack.

Technical Detail

HP Photosmart 5520 e-ALL-IN-ONE series software was installed on a Windows 7 Professional test system.  The software installed had the following versions:




These files and the parent directory were found to be configured to allow users write permissions. For example:

c:\Program Files\HP\HP Software Update\hpwucli.exe BUILTIN\Users:(ID)(special access:)









It was discovered that “hpwuschd2.exe” ran automatically on user logon. Further that HP Software Update would run automatically every week by default. If an administrative user account logged on these processes would run with their permissions.

It was therefore possible to overwrite these files with malicious versions designed to make use of the privileges of an administrative user as follows:

A payload was generated using msfpayload:

sudo msfpayload windows/adduser user=’attacker’ pass=’Att4ck3r!’ WMIC=’true’ D > SoftwareUpdate.dll The file c:\program files\HP\HP Software Update\SoftwareUpdate.dllwas then overwritten with this malicious DLL.

When an administrator logged on and deliberately ran HP Software Update or during a weekly update the malicious code ran creating the ‘Attacker’ user account and adding this account to the local Administrators group. The user could then login using the Attacker account and gain administrator privileges.


This issues was addressed by an update of the HP Update Utility version  This version is currently available on at the following link:

The current web pack (driver and software bundle) specifically for the Photosmart 5520 also contains the latest update to HPU and can be found at:



Name Organisation Date
File Commissum 27/03/2015
HP 27/03/2015


Liam Romanis Discovery of weakness 04/01/2015
Liam Romanis First Draft of Public and Vendor Advisories 27/03/2015
Boglarka Ronto Peer Review 27/03/2015
Jay George QA 27/03/2015
Chris Jacobson (HP) Provided patch information 06/05/2015
Liam Romanis Update to advisory 06/05/2015