Tuesday, December 11, 2007

Zero-day Flaw in HP Laptop

From http://www.anspi.pl/~porkythepig/hp-issue/kilokieubasy.txt

Multiple Hewlett-Packard notebook series are prone to a remote code execution attack. The manufacturer's preinstalled software contains a critical flaw within the software built to support one-touch button quick feature access.
Software called "HP Info Center" is shipped with almost every HP laptop model for few years. It is designed to support user with quick system information and hardware configuration using single button touch. One of its ActiveX controls deployed by default by the vendor has three insecure methods that allow a malicious person to target the HP notebook machines for a remote code execution and remote registry manipulation based attacks.
  • Remote code execution
  • Remote system registry read/write access
  • Remote shell command execution