HP Multiple Products PML Driver Local Privilege Escalation By Sowhat of Nevis Labs 2007.01.08 http://www.nevisnetworks.com http://secway.org/advisory/AD20070108.txt Vendor Hewlett-Packard Products Affected HP All-In-One products HP PSC 700 series HP PSC 900 series HP PSC 1100 series HP PSC 1200 series HP PSC 1300 series HP PSC 2100 series HP PSC 2200 series HP PSC 2400 Photosmart All-in-one series HP PSC 2500 Photosmart All-in-one series HP Officejet D series HP Officejet G series HP Officejet K series HP Officejet 4100 series HP Officejet 5100 series HP Officejet 5500 series HP Officejet 6100 series HP Officejet 7100 series HP Color LaserJet 4650 Printer series and ??? most probably other products are affected Overview: There is a DACL weakness exists in the HP all-in-one products drivers, which can be exploited by malicious, local users to gain escalated privileges. Details: "PML Driver HPZ12" service is installed by lots of the HP products especially the all-in-one products and some other Printers,Scanners,and Copiers. Insecure SERVICE_CHANGE_CONFIG permissions on the "PML Driver HPZ12" service can be exploited to gain escalated privileges by changing the associated program. The "PML Driver HPZ12" is defaultly installed with the following properties: Name: PML Driver HPZ12 Filename: HPZipm12.exe Description: Used by HP Printer/Scanner/Copier printers to prevent Windows from entering hibernation mode. File Location: %System% Service Name: PML Driver HPZ12 Service Display Name: PML Driver HPZ12 Because of the Insecure DACL, a local unprivileged user can obtain SYSTEM privilege through the following way: C:\sc config "pml driver hpz12" binpath= D:\attack\attack.exe C:\sc start "pml driver hpz12" OK, your attack.exe will be lunached under SYSTEM privileges immediately, system restart is not required. Even though the PML Driver serivce is not started by default, the attacker can start and stop it by herself :) Exploting this vulnerability allows local non-privileged user to obtain SYSTEM privilege. Workaround: Use SC command to set a tight permissions for the "PML Driver HPZ12" service. Vendor Response: 2006.05.29 Vendor notified via security-alert@hp.com 2006.05.29 Vendor responded 2006.07.20 HP -> "This is a high priority issue, and is still being worked. There are testing dependencies that are wider than we expected." 2006.12.20 I saw the an auto update of HP software named "PML Driver Security Update", so I sent an email to ask about when it was released, why they did not let me know. they said "There has been a communication problem here at HP, We have not yet issue a security bulletin on this problem " 2007.01.08 They did not response to my status query emails after 20th, Dec Is this HP's Responsible Vulnerability Disclosure Policy? -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"