cbcvebase.
CVE-2011-2404
published 2011-08-11

CVE-2011-2404: A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
73.25%
99.4th percentile
A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-4786 and CVE-2011-4787.

Affected

1 ranges
VendorProductVersion rangeFixed in
hpeasy_printer_care_software<= 2.5

Detection & IOCsextracted from sources · hover to see the quote

filenameHPTicketMgr.dll
path../../../../../WINDOWS/system32/wbem/mof/<random>.mof
path../../../../../WINDOWS/system32/<random>.vbs
otherHPESPRIT.XMLSimpleAccessor.1
otherHPESPRIT.XMLDataUnion.1
versionHPTicketMgr.dll 2.7.2.0
  • Detect ActiveX instantiation of 'HPESPRIT.XMLSimpleAccessor.1' or 'HPESPRIT.XMLDataUnion.1' ProgIDs in browser script, which are the attack entry points for this exploit.
  • Monitor calls to the 'SaveXML' method on the XMLSimpleAccessor ActiveX object with path arguments containing directory traversal sequences ('..') targeting WINDOWS\system32 or WINDOWS\system32\wbem\mof.
  • Alert on unexpected .mof file creation under C:\WINDOWS\system32\wbem\mof\ originating from a browser process (e.g., iexplore.exe), as the exploit drops a MOF file there to trigger WMI execution.
  • Alert on unexpected .vbs file creation under C:\WINDOWS\system32\ originating from a browser process, as the exploit stages a VBS payload there prior to MOF-triggered execution.
  • Filter inbound HTTP User-Agent for MSIE strings when serving pages that reference HPTicketMgr.dll ActiveX objects; the exploit explicitly checks for MSIE and returns 404 otherwise.
  • The exploit uses 'migrate -f' as InitialAutoRunScript; monitor for unexpected process migration activity (e.g., Meterpreter injecting into a new process) shortly after iexplore.exe spawns suspicious child processes.
  • ·The exploit only works on Windows versions prior to Vista; detections targeting MOF-based WMI execution are not applicable on Vista and later.
  • ·The traversal path depth ('../../../../../') is calculated relative to the default HP installation path; if HP Easy Printer Care is installed in a non-default location, the traversal depth and resulting drop paths will differ.
  • ·The dropped .mof and .vbs filenames are randomly generated at runtime (rand_text_alpha), so static filename-based detections will not be reliable; path and parent-process context should be used instead.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.