HP Easy Printer Care Software ActiveX Control Remote Code Execution Vulnerabilities

This script is Copyright (C) 2011-2016 Tenable Network Security, Inc.


Synopsis :

An ActiveX control on the remote Windows host could allow arbitrary
remote code execution.

Description :

The version of the HPTicketMgr.dll ActiveX control, part of HP Easy
Printer Care Software and installed on the remote Windows host, is
affected by several vulnerabilities :

- The 'SaveXML()' method in the XMLSimpleAccessor class
ActiveX control is prone to a directory traversal
attack and can be abused to write arbitrary files to the
system and then execute them through the browser.
(CVE-2011-2404)

- The 'CacheDocumentXMLWithId()' method in the XMLCacheMgr
class ActiveX control is prone to a directory traversal
attack and can be abused to write malicious content to
the filesystem. (CVE-2011-4786)

- The 'LoadXML()' method in the XMLSimpleAccessor class
ActiveX control is affected by a heap-based buffer
overflow vulnerability. (CVE-2011-4787)

If an attacker can trick a user on the affected host into visiting a
specially crafted web page, these issues could be leverage to execute
arbitrary code on the host subject to the user's privileges.

See also :

http://www.zerodayinitiative.com/advisories/ZDI-11-261/
http://www.zerodayinitiative.com/advisories/ZDI-12-013/
http://www.zerodayinitiative.com/advisories/ZDI-12-014/
http://seclists.org/fulldisclosure/2011/Aug/141
http://www.securityfocus.com/archive/1/519191/30/0/threaded
http://www.securityfocus.com/archive/1/521230/30/0/threaded
http://seclists.org/bugtraq/2012/Jan/85
http://seclists.org/bugtraq/2012/Jan/86

Solution :

Either uninstall the software as it is no longer supported by HP or
set the kill bit for the affected control.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 55832 ()

Bugtraq ID: 49100
51396
51400

CVE ID: CVE-2011-2404
CVE-2011-4786
CVE-2011-4787

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now