HP Multiple Products PML Driver Local Privilege Escalation


By Sowhat of Nevis Labs
2007.01.08

https://www.nevisnetworks.com
https://secway.org/advisory/AD20070108.txt

Vendor
Hewlett-Packard

Products Affected

HP All-In-One products
HP PSC 700 series
HP PSC 900 series
HP PSC 1100 series
HP PSC 1200 series
HP PSC 1300 series
HP PSC 2100 series
HP PSC 2200 series
HP PSC 2400 Photosmart All-in-one series
HP PSC 2500 Photosmart All-in-one series
HP Officejet D series
HP Officejet G series
HP Officejet K series
HP Officejet 4100 series
HP Officejet 5100 series
HP Officejet 5500 series
HP Officejet 6100 series
HP Officejet 7100 series
HP Color LaserJet 4650 Printer series

and ??? most probably other products are affected




Overview:

There is a DACL weakness exists in the HP all-in-one products drivers,
which can be exploited by malicious, local users to gain escalated
privileges.


Details:

"PML Driver HPZ12" service is installed by lots of the HP products especially
the all-in-one products and some other Printers,Scanners,and Copiers.

Insecure SERVICE_CHANGE_CONFIG permissions on the "PML Driver HPZ12" service
can be exploited to gain escalated privileges by changing the associated
program.

The "PML Driver HPZ12" is defaultly installed with the following properties:
Name: PML Driver HPZ12
Filename: HPZipm12.exe
Description: Used by HP Printer/Scanner/Copier printers to prevent Windows
            from entering hibernation mode.
File Location: %System%
Service Name: PML Driver HPZ12
Service Display Name: PML Driver HPZ12


Because of the Insecure DACL, a local unprivileged user can obtain SYSTEM
privilege through the following way:

C:\sc config "pml driver hpz12" binpath= D:\attack\attack.exe
C:\sc start "pml driver hpz12"

OK, your attack.exe will be lunached under SYSTEM privileges immediately,
system restart is not required.

Even though the PML Driver serivce is not started by default, the attacker
can start and stop it by herself :)


Exploting this vulnerability allows local non-privileged user
to obtain SYSTEM privilege.


Workaround:
Use SC command to set a tight permissions for the "PML Driver HPZ12" service.



Vendor Response:

2006.05.29 Vendor notified via security-alert@hp.com
2006.05.29 Vendor responded
2006.07.20 HP -> "This is a high priority issue, and is still being
worked.  There are testing
           dependencies that are wider than we expected."
2006.12.20 I saw the an auto update of HP software named "PML Driver
Security Update",
           so I sent an email to ask about when it was released, why
they did not let me know.
           they said "There has been a communication problem here at
HP, We have not yet issue
           a security bulletin on this problem "
2007.01.08 They did not response to my status query emails after 20th, Dec

Is this HP's Responsible Vulnerability Disclosure Policy?

-- 
Sowhat
https://secway.org
"Life is like a bug, Do you know how to exploit it ?"