SAINT CorporationSAINT:D1FA252970296E6B5FF251C9671742A1HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.938 High
EPSS
Percentile
99.1%
Added: 01/26/2012
CVE: CVE-2011-4786
BID: 51396
OSVDB: 78306
Background
HP Easy Printer Care Software is a tool to control and monitor up to 20 HP printers.
Problem
HP Easy Printer Care Software 2.5 and prior versions are vulnerable to remote code execution. The **CacheDocumentXMLWithId** method from the **XMLCacheMgr** class in the HP Easy Printer **HPTicketMgr.dll** ActiveX Control (2.7.2.0) is vulnerable to directory traversal and arbitrary write. A remote attacker could leverage this vulnerability to execute code in the context of the Internet Explorer web browser.
Resolution
HP has discontinued this product and therefore has no patch or upgrade that fixes this problem. HP recommends uninstalling this software as soon as possible. If the Easy Printer Care software is not uninstalled, HP recommends setting the kill bit for the vulnerable ActiveX control Class identifier (CLSID) {466576F3-19B6-4FF1-BD48-3E0E1BFB96E9} as explained in Microsoft’s knowledge base article KB240797.
References
<http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02949847>
<http://www.zerodayinitiative.com/advisories/ZDI-12-013/>
Limitations
This exploit has been tested on HP Easy Printer Care 2.5.5.165 on Microsoft Windows XP SP3 English (DEP OptIn).
The user must open the exploit file in Internet Explorer 7 or 8.
Platforms
Windows
Related
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.938 High
EPSS
Percentile
99.1%