CVE-2011-2404
published 2011-08-11CVE-2011-2404: A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a…
PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
73.25%
99.4th percentile
A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-4786 and CVE-2011-4787.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | easy_printer_care_software | <= 2.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ActiveX instantiation of 'HPESPRIT.XMLSimpleAccessor.1' or 'HPESPRIT.XMLDataUnion.1' ProgIDs in browser script, which are the attack entry points for this exploit. ↗
- →Monitor calls to the 'SaveXML' method on the XMLSimpleAccessor ActiveX object with path arguments containing directory traversal sequences ('..') targeting WINDOWS\system32 or WINDOWS\system32\wbem\mof. ↗
- →Alert on unexpected .mof file creation under C:\WINDOWS\system32\wbem\mof\ originating from a browser process (e.g., iexplore.exe), as the exploit drops a MOF file there to trigger WMI execution. ↗
- →Alert on unexpected .vbs file creation under C:\WINDOWS\system32\ originating from a browser process, as the exploit stages a VBS payload there prior to MOF-triggered execution. ↗
- →Filter inbound HTTP User-Agent for MSIE strings when serving pages that reference HPTicketMgr.dll ActiveX objects; the exploit explicitly checks for MSIE and returns 404 otherwise. ↗
- →The exploit uses 'migrate -f' as InitialAutoRunScript; monitor for unexpected process migration activity (e.g., Meterpreter injecting into a new process) shortly after iexplore.exe spawns suspicious child processes. ↗
- ·The exploit only works on Windows versions prior to Vista; detections targeting MOF-based WMI execution are not applicable on Vista and later. ↗
- ·The traversal path depth ('../../../../../') is calculated relative to the default HP installation path; if HP Easy Printer Care is installed in a non-default location, the traversal depth and resulting drop paths will differ. ↗
- ·The dropped .mof and .vbs filenames are randomly generated at runtime (rand_text_alpha), so static filename-based detections will not be reliable; path and parent-process context should be used instead. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-49qx-xc4f-34vq: A certain ActiveX control in HPTicketMgr
ghsa_unreviewed·2022-05-17·CVSS 9.3
CVE-2011-2404 [CRITICAL] CWE-94 GHSA-49qx-xc4f-34vq: A certain ActiveX control in HPTicketMgr
A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-4786 and CVE-2011-4787.
GHSA
GHSA-qxvx-pjm6-2g2q: A certain ActiveX control in HPTicketMgr
ghsa_unreviewed·2022-05-13·CVSS 7.5
CVE-2011-4787 [HIGH] CWE-94 GHSA-qxvx-pjm6-2g2q: A certain ActiveX control in HPTicketMgr
A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-2404 and CVE-2011-4786.
GHSA
GHSA-6xww-7r57-hfp7: A certain ActiveX control in HPTicketMgr
ghsa_unreviewed·2022-05-13·CVSS 7.5
CVE-2011-4786 [HIGH] CWE-94 GHSA-6xww-7r57-hfp7: A certain ActiveX control in HPTicketMgr
A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-2404 and CVE-2011-4787.
No detection rules found.
Exploit-DB
HP Easy Printer Care - XMLSimpleAccessor Class ActiveX Control Remote Code Execution (Metasploit)
exploitdb·2011-08-20
CVE-2011-2404 HP Easy Printer Care - XMLSimpleAccessor Class ActiveX Control Remote Code Execution (Metasploit)
HP Easy Printer Care - XMLSimpleAccessor Class ActiveX Control Remote Code Execution (Metasploit)
---
##
# $Id: hp_easy_printer_care_xmlsimpleaccessor.rb 13593 2011-08-20 00:11:22Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution',
'Description' => %q{
This module allows remote attackers to place arbitrary files on a users file system
by abusing via Directory Traversal attack the "saveXML" method from the "XMLSimpleAccessor"
class in the HP Easy Print
Metasploit
HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution
metasploit
HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution
HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution
This module allows remote attackers to place arbitrary files on a users file system by abusing via Directory Traversal attack the "saveXML" method from the "XMLSimpleAccessor" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embeddeding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. Please note that this module currently only works for Windows before Vista.
No writeups or analysis indexed.
2011-08-11
Published