HP Software Update HPeDiag ActiveX Control GetXmlFromIni buffer overflow

2008-05-22T00:00:00
ID SAINT:B97BDC54B521FF00148A398861723A63
Type saint
Reporter SAINT Corporation
Modified 2008-05-22T00:00:00

Description

Added: 05/22/2008
CVE: CVE-2008-0712
BID: 28929
OSVDB: 44662

Background

HP Software Update is shipped with various kinds of HP computers to keep HP software up to date.

Problem

A buffer overflow in the **GetXmlFromIni** method of the HPeDiag ActiveX control allows command execution when a user loads a web page which reads a specially crafted **ini** file.

Resolution

Upgrade to version 4.000.010.008 or higher as described in HPSBGN02333 SSRT080031.

References

<http://secunia.com/advisories/29966/>

Limitations

Exploit works on HP Software Update 3.0.2.991 (HPeDiag.dll 1.0.11.0) and requires the user to load the exploit page in Internet Explorer.

Before the exploit can succeed, you must place the exploit.ini file on an SMB share which is accessible from the target computer. To do this, download the /exploit.ini file from the exploit server and place it on the share.

Due to large memory allocation by the exploit script on the target, at least 768MB virtual memory needs to be available on the target.

Platforms

Windows