HP Easy Printer Care Software ActiveX Control Remote Code Execution Vulnerabilities

High Nessus Plugin ID 55832


An ActiveX control on the remote Windows host could allow arbitrary remote code execution.


The version of the HPTicketMgr.dll ActiveX control, part of HP Easy Printer Care Software and installed on the remote Windows host, is affected by several vulnerabilities :

- The 'SaveXML()' method in the XMLSimpleAccessor class ActiveX control is prone to a directory traversal attack and can be abused to write arbitrary files to the system and then execute them through the browser.

- The 'CacheDocumentXMLWithId()' method in the XMLCacheMgr class ActiveX control is prone to a directory traversal attack and can be abused to write malicious content to the filesystem. (CVE-2011-4786)

- The 'LoadXML()' method in the XMLSimpleAccessor class ActiveX control is affected by a heap-based buffer overflow vulnerability. (CVE-2011-4787)

If an attacker can trick a user on the affected host into visiting a specially crafted web page, these issues could be leverage to execute arbitrary code on the host subject to the user's privileges.


Either uninstall the software as it is no longer supported by HP or set the kill bit for the affected control.

See Also









Plugin Details

Severity: High

ID: 55832

File Name: hpticketmgr_activex.nasl

Version: $Revision: 1.19 $

Type: local

Agent: windows

Family: Windows

Published: 2011/08/12

Modified: 2016/11/19

Dependencies: 13855

Risk Information

Risk Factor: High


Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:hp:easy_printer_care_software

Required KB Items: SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2011/08/08

Exploitable With

CANVAS (D2ExploitPack)

Core Impact

Metasploit (HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution)

Reference Information

CVE: CVE-2011-2404, CVE-2011-4786, CVE-2011-4787

BID: 49100, 51396, 51400

OSVDB: 74510, 78305, 78306

EDB-ID: 17697, 18381