---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: HP Instant Support HPISDataManager.dll ActiveX Control Multiple Vulnerabilities SECUNIA ADVISORY ID: SA30516 VERIFY ADVISORY: http://secunia.com/advisories/30516/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote REVISION: 1.1 originally posted 2008-06-04 SOFTWARE: HP Instant Support 1.x http://secunia.com/product/18970/ DESCRIPTION: Some vulnerabilities have been reported in HP Instant Support, which potentially can be exploited by malicious people to bypass certain security restrictions and compromise a user's system. 1) Some vulnerabilities are caused due to boundary errors within the "ExtractCab()", "GetFileTime()", "MoveFile()", and "RegistryString()" methods of HPISDataManager.dll. These can be exploited to cause a buffer overflow via an overly long string passed to the affected methods when a user e.g. visits a malicious web page. 2) The HPISDataManager.dll ActiveX contains the insecure methods "AppendStringToFile()", "DownloadFile()", "StartApp()", and "DeleteSingleFile()", which can be exploited to e.g. overwrite, delete, and execute arbitrary files on a user's system and download files into the location of the ActiveX component by tricking a user into visiting a malicious web page. The vulnerabilities are reported in HP Instant Support HPISDataManager.dll version 1.0.0.22 and earlier. SOLUTION: Update to version 1.0.0.24. http://www.hp.com/go/ispe (choose "launch an online diagnostic session") PROVIDED AND/OR DISCOVERED BY: Dennis Rand, CSIS Security Research and Intelligence CHANGELOG: 2008-06-04: Updated advisory with additional information provided by CSIS Security Research and Intelligence. Added link to "Original Advisory" section. ORIGINAL ADVISORY: HP: http://www12.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01422264 CSIS Security Research and Intelligence: http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf OTHER REFERENCES: US-CERT VU#754403: http://www.kb.cert.org/vuls/id/754403 US-CERT VU#558163: http://www.kb.cert.org/vuls/id/558163 US-CERT VU#221123: http://www.kb.cert.org/vuls/id/221123 US-CERT VU#526131: http://www.kb.cert.org/vuls/id/526131 US-CERT VU#949587: http://www.kb.cert.org/vuls/id/949587 US-CERT VU#857539: http://www.kb.cert.org/vuls/id/857539 US-CERT VU#190939: http://www.kb.cert.org/vuls/id/190939 US-CERT VU#998779: http://www.kb.cert.org/vuls/id/998779 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------