Backdoor in HP Compaq laptops
A critical flaw in the HP Info Center software preinstalled on many HP laptops presents a security problem for users. An attacker can infect a vulnerable laptop with malware when its user visits a malicious website using Internet Explorer 6 or 7. The Info Center is one of the HP Quick Launch Buttons preinstalled by the manufacturer. There was a similar case at the beginning of the year when Acer laptops were delivered with a dangerous ActiveX backdoor.
The cause of the problem lies with three potentially insecure methods in one of the ActiveX controls (HPInfoDLL.dll, CLSID 62DDEB79-15B2-41E3-8834-D3B80493887A) installed by the Info Center. These provide access to the file system and registry and support the automatic downloading and installation of additional software. The control has been declared 'Safe for Scripting', which allows any website full scripting access and control via JavaScript.
The vulnerability report published by the exploit portal Milw0rm states that the problem affects the HP Info Center v1.0.1.1 in Windows 2000, XP, Server 2003 and Vista. The vulnerability report also includes demo code to illustrate the problem. According to the person who discovered the vulnerability, who goes by the name of 'porkythe pig', the problem affects the following HP models:
HP 510 Notebook PC
HP 530 Notebook PC
HP Compaq 8710w
HP Compaq 8710p
HP Compaq 8510w
HP Compaq 8510p
HP Compaq 6910b
HP Compaq 6715b
HP Compaq 6510b
HP Compaq 2710p
HP Compaq 2510p
HP Compaq NC series Business Notebook PC
HP Compaq NC6230
HP Compaq NC6220
HP Compaq NC8230
HP Compaq NX series Business Notebook PC
HP Compaq NX7300
HP Compaq NX6120
HP Compaq NX8220
HP Compaq NX6325
HP Compaq NW series Mobile Workstation
HP Compaq NW9440
HP Compaq NW8440
The heise Security editorial team were able to confirm the vulnerability using a modified exploit under Windows XP SP2 on an HP Compaq NX 6125. The exploit did not work on the HP Compaq models 6715 and 6720 with Windows Vista, however, even though the vulnerable control was installed. To find out whether it is installed on your laptop, check the Properties information for C:/Programme/Hewlett-Packard/HP Info Center/HPInfoDLL.dll .
The report does not say if porkythepig has informed the manufacturer of the problem. The report advises users to wait for a security update that will fix the problem, and until then, to use a browser that does not support ActiveX, such as Firefox or Opera. Alternatively, you can deactivate ActiveX in Internet Explorer, either for individual zones or completely. Finally, you can set the kill bit so that the control cannot be called by Internet Explorer. You will find instructions here: How to stop an ActiveX control from running in Internet Explorer. At a pinch, you could also rename or delete the file.
- HP Compaq Notebooks ActiveX Remote Code Execution Exploit, vulnerability report by porkythepig
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
