HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution

2012-01-26T00:00:00
ID SAINT:BE2FCDBF0D139DEDD927F3E49D3F751A
Type saint
Reporter SAINT Corporation
Modified 2012-01-26T00:00:00

Description

Added: 01/26/2012
CVE: CVE-2011-4786
BID: 51396
OSVDB: 78306

Background

HP Easy Printer Care Software is a tool to control and monitor up to 20 HP printers.

Problem

HP Easy Printer Care Software 2.5 and prior versions are vulnerable to remote code execution. The **CacheDocumentXMLWithId** method from the **XMLCacheMgr** class in the HP Easy Printer **HPTicketMgr.dll** ActiveX Control (2.7.2.0) is vulnerable to directory traversal and arbitrary write. A remote attacker could leverage this vulnerability to execute code in the context of the Internet Explorer web browser.

Resolution

HP has discontinued this product and therefore has no patch or upgrade that fixes this problem. HP recommends uninstalling this software as soon as possible. If the Easy Printer Care software is not uninstalled, HP recommends setting the kill bit for the vulnerable ActiveX control Class identifier (CLSID) {466576F3-19B6-4FF1-BD48-3E0E1BFB96E9} as explained in Microsoft's knowledge base article KB240797.

References

<http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02949847>
<http://www.zerodayinitiative.com/advisories/ZDI-12-013/>

Limitations

This exploit has been tested on HP Easy Printer Care 2.5.5.165 on Microsoft Windows XP SP3 English (DEP OptIn).

The user must open the exploit file in Internet Explorer 7 or 8.

Platforms

Windows