Commissum

HP Software Update Privilege Escalation Vulnerability




Introduction

This document is a technical advisory for a privilege escalation weakness found in HP Software Update as supplied with HP Photosmart 5520 e-ALL-IN-ONE series software. This document is being released in order to alert HP to the risk detailed below and to request remediation. Please note that this document may be subject to modification as new information becomes available.

Summary

Commissum Senior Consultant Liam Romanis identified a privilege escalation vulnerability in HP Software Update:

Poor file permissions on the “HP Software Update” directory and its contents permit non-administrative users to modify files to effect a privilege escalation attack.

Technical Detail

HP Photosmart 5520 e-ALL-IN-ONE series software was installed on a Windows 7 Professional test system.  The software installed had the following versions:

Hpwucli: 5.0.14.1

Hpwuschd2: 80.1.1.0

SoftwareUpdate.dll: 5.1.2.0

These files and the parent directory were found to be configured to allow users write permissions. For example:

c:\Program Files\HP\HP Software Update\hpwucli.exe BUILTIN\Users:(ID)(special access:)

DELETE

READ_CONTROL

SYNCHRONIZE

FILE_GENERIC_WRITE

FILE_WRITE_DATA

FILE_APPEND_DATA

FILE_WRITE_EA

FILE_WRITE_ATTRIBUTES

It was discovered that “hpwuschd2.exe” ran automatically on user logon. Further that HP Software Update would run automatically every week by default. If an administrative user account logged on these processes would run with their permissions.

It was therefore possible to overwrite these files with malicious versions designed to make use of the privileges of an administrative user as follows:

A payload was generated using msfpayload:

sudo msfpayload windows/adduser user=’attacker’ pass=’Att4ck3r!’ WMIC=’true’ D > SoftwareUpdate.dll The file c:\program files\HP\HP Software Update\SoftwareUpdate.dllwas then overwritten with this malicious DLL.

When an administrator logged on and deliberately ran HP Software Update or during a weekly update the malicious code ran creating the ‘Attacker’ user account and adding this account to the local Administrators group. The user could then login using the Attacker account and gain administrator privileges.

Remediation

This issues was addressed by an update of the HP Update Utility version 5.005.002.002.  This version is currently available on HP.com at the following link:

http://support.hp.com/us-en/product/HP-Update-Software/3892976/model/3892989/drivers?cc=us&lang=en

The current web pack (driver and software bundle) specifically for the Photosmart 5520 also contains the latest update to HPU and can be found at:

http://support.hp.com/us-en/drivers/selfservice/HP-Photosmart-5520-e-All-in-One-Printer-series/5157533/model/5157535

History

Distribution

Name Organisation Date
File Commissum 27/03/2015
HP 27/03/2015

History

Name    
Liam Romanis Discovery of weakness 04/01/2015
Liam Romanis First Draft of Public and Vendor Advisories 27/03/2015
Boglarka Ronto Peer Review 27/03/2015
Jay George QA 27/03/2015
Chris Jacobson (HP) Provided patch information 06/05/2015
Liam Romanis Update to advisory 06/05/2015