HP laptops: Another zero-day vulnerability found

HP laptops: Another zero-day vulnerability found

Summary: Every HP laptop that ships with HP Software Update, a patch utility, is vulnerable to a zero-day vulnerability that can leave the PC unbootable.The vulnerability was published by a Polish hacker that goes by the handle of "porkythepig.

SHARE:

Every HP laptop that ships with HP Software Update, a patch utility, is vulnerable to a zero-day vulnerability that can leave the PC unbootable.

The vulnerability was published by a Polish hacker that goes by the handle of "porkythepig." The hacker's latest finding caps a rough few weeks for HP's software update feature, which has become a big target.

If I were to guess these vulnerabilities are going to be commonplace. PC vendors see these automated help and support applications--automated diagnostic, patch management and support tools--as a way to improve customer service and save money. The downside to these applications, which are found on most PCs, is that they are great attack vectors for motivated hacker. Imagine the glory of targeting HP and Dell--you'd own the PC market.

Here's what Porkythepig had to say in his advisory, which includes the code needed to launch this exploit:

There is another remotely exploitable flaw within software preinstalled in HP notebook machines. This time, the culprit is automatic software update tool provided by the vendor. The Potential exploitation may lead to user files loss or altering vital system files (e.g. kernel), thus leaving PC unbootable.

The flaw is located in the software called HP Software Update shipped with the HP notebooks to support automatic software updates and critical vulnerability patching. One of the ActiveX controls deployed by default by the vendor contains an insecure method giving a potential attacker the remote system arbitrary file write access.

So how would an unsuspecting user fall into these vulnerabilities?

Two ways:

  • The first is getting a remote user to launch a Web link after getting information about an arbitrary file and location and names. Once you click the link the file is destroyed. It requires a little social engineering to get the victim to deliver the exact name and location of a file.
  • The other way would be to get a user to launch a Web link that corrupts operating system files to leave the PC unstable.

Here's the detailed explanation of the "kernel wreckage exploit" from the advisory:

Using this flaw one can construct an armed exploit, able for example to destroy remote system kernel files and make the remote machine UNBOOTABLE. The exploit is using vulnerable SaveToFile() to overwrite the NT System kernel files with the 4 zero bytes. The target are memory mapped ntoskrnl.exe and ntkrnlpa.exe kernel files which don't have a write lock set on them and may be opened for write. Although Windows NT system contains a protection for this kind of activity (system files overwrite) it can be fooled by overwriting simultanously: system binary files backup directory (\System32\DllCache\) actual system kernel files (\System32\) and the Driver Backup directory (\Windows\Driver Cache\) kernel files.

After the execution it will store an zero-initialized patch information using SaveToFile() method sequentially to ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe ,ntkrpamp.exe NT kernel files , first in the System32\DllCache\ directory, second to \System32\ directory and finally to Windows\Driver Cache\ dir. After the very next OS shutdown, machine will not be bootable anymore.

While HP takes the hit there are enough vulnerabilities to go around. HP's software update is vulnerable but are ActiveX controls, IE 6 and IE 7, Windows XP (most flavors) and Vista.

HP has confirmed the flaws and the model list is likely to be the same for this vulnerability.

Topics: Laptops, Hardware, Hewlett-Packard, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • While HP takes a hit, give your self some peace of mind...

    Windows XP users, take a walk on the wild side.
    Download a VMware Virtual Machine appliance edition of [url=http://www.vmware.com/appliances/directory/1083]openSUSE 10.3 (KDE)[/url]. It's free and here are the benefits:

    o Resetable snapshot which reverts any changes made during a VM session
    o AppArmor (application protected memory sandbox)
    o Firefox 2 (no Windows ActiveX security worries)
    o No Viruses, Bots

    Keep an open mind and give it a try.
    VMware runs as an 'application' on your Windows XP Desktop.
    If you don't like it, you can uninstall with no issues.

    You won't regret it!
    MS hasn't cozied up to Novell SUSE for nuttin. ;)

    Safe Surfing
    If anybody needs Firefox profiles for AppArmor, I put two files in my cellphone's Mobile Web Server public directory

    usr.lib.firefox.firefox
    D T Schmitz
  • While HP takes a hit, give your self some peace of mind...

    Windows XP users, take a walk on the wild side.
    Download a VMware Virtual Machine appliance edition of [url=http://www.vmware.com/appliances/directory/1083]openSUSE 10.3 (KDE)[/url]. It's free and here are the benefits:

    o Resetable snapshot which reverts any changes made during a VM session
    o AppArmor (application protected memory sandbox)
    o Firefox 2 (no Windows ActiveX security worries)
    o No Viruses, Bots

    Keep an open mind and give it a try.
    VMware runs as an 'application' on your Windows XP Desktop.
    If you don't like it, you can uninstall with no issues.

    You won't regret it!
    MS hasn't cozied up to Novell SUSE for nuttin. ;)

    Safe Surfing
    If anybody needs openSUSE Firefox profiles for AppArmor, I put two files in my cellphone's Mobile Web Server public directory

    usr.lib.firefox.firefox
    usr.lib.firefox.firefox-bin

    [url=http://dietrich.mymobilesite.net/pub]here[/url]
    D T Schmitz
  • Pretty sure this is Apple's fault. NT

    NT
    sos10
  • My HP Laptop

    had me download a patch for the update software last night

    hopefully that'll do it

    A
    andycher
  • You are on drugs!

    Also blame Digital, Compaq and Tandem!
    You need to lay off on those drugs and take a break on holidays. Your brains will appreciate it.
    phatkat