The vulnerability was published by a Polish hacker that goes by the handle of "porkythepig." The hacker's latest finding caps a rough few weeks for HP's software update feature, which has become a big target.
If I were to guess these vulnerabilities are going to be commonplace. PC vendors see these automated help and support applications--automated diagnostic, patch management and support tools--as a way to improve customer service and save money. The downside to these applications, which are found on most PCs, is that they are great attack vectors for motivated hacker. Imagine the glory of targeting HP and Dell--you'd own the PC market.
Here's what Porkythepig had to say in his advisory, which includes the code needed to launch this exploit:
There is another remotely exploitable flaw within software preinstalled in HP notebook machines. This time, the culprit is automatic software update tool provided by the vendor. The Potential exploitation may lead to user files loss or altering vital system files (e.g. kernel), thus leaving PC unbootable.
The flaw is located in the software called HP Software Update shipped with the HP notebooks to support automatic software updates and critical vulnerability patching. One of the ActiveX controls deployed by default by the vendor contains an insecure method giving a potential attacker the remote system arbitrary file write access.
So how would an unsuspecting user fall into these vulnerabilities?
- The first is getting a remote user to launch a Web link after getting information about an arbitrary file and location and names. Once you click the link the file is destroyed. It requires a little social engineering to get the victim to deliver the exact name and location of a file.
- The other way would be to get a user to launch a Web link that corrupts operating system files to leave the PC unstable.
Here's the detailed explanation of the "kernel wreckage exploit" from the advisory:
Using this flaw one can construct an armed exploit, able for example to destroy remote system kernel files and make the remote machine UNBOOTABLE. The exploit is using vulnerable SaveToFile() to overwrite the NT System kernel files with the 4 zero bytes. The target are memory mapped ntoskrnl.exe and ntkrnlpa.exe kernel files which don't have a write lock set on them and may be opened for write. Although Windows NT system contains a protection for this kind of activity (system files overwrite) it can be fooled by overwriting simultanously: system binary files backup directory (\System32\DllCache\) actual system kernel files (\System32\) and the Driver Backup directory (\Windows\Driver Cache\) kernel files.
After the execution it will store an zero-initialized patch information using SaveToFile() method sequentially to ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe ,ntkrpamp.exe NT kernel files , first in the System32\DllCache\ directory, second to \System32\ directory and finally to Windows\Driver Cache\ dir. After the very next OS shutdown, machine will not be bootable anymore.
While HP takes the hit there are enough vulnerabilities to go around. HP's software update is vulnerable but are ActiveX controls, IE 6 and IE 7, Windows XP (most flavors) and Vista.
HP has confirmed the flaws and the model list is likely to be the same for this vulnerability.