HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution

Added: 01/26/2012
CVE: CVE-2011-4786
BID: 51396
OSVDB: 78306

Background

HP Easy Printer Care Software is a tool to control and monitor up to 20 HP printers.

Problem

HP Easy Printer Care Software 2.5 and prior versions are vulnerable to remote code execution. The CacheDocumentXMLWithId method from the XMLCacheMgr class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (2.7.2.0) is vulnerable to directory traversal and arbitrary write. A remote attacker could leverage this vulnerability to execute code in the context of the Internet Explorer web browser.

Resolution

HP has discontinued this product and therefore has no patch or upgrade that fixes this problem. HP recommends uninstalling this software as soon as possible. If the Easy Printer Care software is not uninstalled, HP recommends setting the kill bit for the vulnerable ActiveX control Class identifier (CLSID) {466576F3-19B6-4FF1-BD48-3E0E1BFB96E9} as explained in Microsoft's knowledge base article KB240797.

References

http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02949847
http://www.zerodayinitiative.com/advisories/ZDI-12-013/

Limitations

This exploit has been tested on HP Easy Printer Care 2.5.5.165 on Microsoft Windows XP SP3 English (DEP OptIn).

The user must open the exploit file in Internet Explorer 7 or 8.

Platforms

Windows

Back to exploit index