CVE-2011-4786
published 2012-01-12CVE-2011-4786: A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a…
PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.13%
98.5th percentile
A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-2404 and CVE-2011-4787.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | easy_printer_care_software | <= 2.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2;)
- →Detect exploit delivery by inspecting HTTP responses for simultaneous presence of 'ActiveXObject', 'HPESPRIT.XMLCacheMgr.1', and 'CacheDocumentXMLWithId' strings (ET SID 2014132).
- →Filter traffic to client endpoints: the exploit is delivered server-to-client over HTTP (flow:established,to_client) and only triggers against Internet Explorer (User-Agent must match /MSIE/).
- →Monitor for unexpected .vbs file creation under C:\Windows\System32\ and .mof file drops under C:\Windows\System32\wbem\mof\ and C:\Windows\System32\wbem\mof\good\ — these are the WMI-based execution staging paths used by the exploit.
- →The exploit uses Windows Management Instrumentation (WMI) MOF file auto-compilation to execute a dropped VBS payload — alert on WMI MOF compilation events (mofcomp.exe or wmiprvse.exe spawning wscript.exe/cscript.exe) on pre-Vista Windows systems.
- →The exploit uses a 4-second setTimeout delay between VBS drop and MOF drop — behavioral sandboxes should extend dwell time beyond 4 seconds to capture the second-stage MOF write.
- ·The exploit only works on Windows versions prior to Vista; Vista and later are not affected by the WMI MOF execution technique used. ↗
- ·The Snort/ET rule (SID 2014132) requires the exploit page to contain all three strings in sequence; obfuscation or splitting across multiple requests would evade it.
- ·The VBS and MOF filenames are randomly generated per session (rand_text_alpha), so static filename-based IOCs will not reliably detect all instances. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-49qx-xc4f-34vq: A certain ActiveX control in HPTicketMgr
ghsa_unreviewed·2022-05-17·CVSS 9.3
CVE-2011-2404 [CRITICAL] CWE-94 GHSA-49qx-xc4f-34vq: A certain ActiveX control in HPTicketMgr
A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-4786 and CVE-2011-4787.
GHSA
GHSA-qxvx-pjm6-2g2q: A certain ActiveX control in HPTicketMgr
ghsa_unreviewed·2022-05-13·CVSS 7.5
CVE-2011-4787 [HIGH] CWE-94 GHSA-qxvx-pjm6-2g2q: A certain ActiveX control in HPTicketMgr
A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-2404 and CVE-2011-4786.
GHSA
GHSA-6xww-7r57-hfp7: A certain ActiveX control in HPTicketMgr
ghsa_unreviewed·2022-05-13·CVSS 7.5
CVE-2011-4786 [HIGH] CWE-94 GHSA-6xww-7r57-hfp7: A certain ActiveX control in HPTicketMgr
A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-2404 and CVE-2011-4787.
Suricata
ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt
suricata·2012-01-18
CVE-2011-4786 ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt
ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt
Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_18, cve CVE_2011_4786, deployment Perimeter, confidence Medium, signature_severity Major, tag ActiveX, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre
Exploit-DB
HP Easy Printer Care - XMLCacheMgr Class ActiveX Control Remote Code Execution (Metasploit)
exploitdb·2012-01-18
CVE-2011-4786 HP Easy Printer Care - XMLCacheMgr Class ActiveX Control Remote Code Execution (Metasploit)
HP Easy Printer Care - XMLCacheMgr Class ActiveX Control Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution',
'Description' => %q{
This module allows remote attackers to place arbitrary files on a users file
system by abusing the "CacheDocumentXMLWithId" method from the "XMLCacheMgr"
class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll
2.7.2.0).
Code execution can be achieved by first uploading the payload t
Metasploit
HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution
metasploit
HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution
HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution
This module allows remote attackers to place arbitrary files on a users file system by abusing the "CacheDocumentXMLWithId" method from the "XMLCacheMgr" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embeddeding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. Please note that this module currently only works for Windows before Vista.
No writeups or analysis indexed.
2012-01-12
Published