Advisory Details

July 20th, 2015

(0Day) Hewlett-Packard Client Automation Agent Stack Based Buffer Overflow Remote Code Execution Vulnerability

ZDI-15-363
ZDI-CAN-2928

CVE ID CVE-2015-7860
CVSS SCORE 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED VENDORS Hewlett-Packard
AFFECTED PRODUCTS Client Automation
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Client Automation. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Hewlett-Packard Client Automation agent. An attacker can send a large buffer of data to the agent which will cause a stack buffer overflow. An attacker can leverage this vulnerability to execute code under the context of the SYSTEM.

ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

05/28/2015 - ZDI sent the report to HP SSRT (believing the product was licensed to or by HP).
06/15/2015 - HP SSRT replied to ZDI that ZDI should contact Persistent Systems about any reports concerning the product.
06/15/2015 - ZDI asked HP SSRT for a contact.
06/15/2015 - HP SSRT advised ZDI that they had tried their known contacts and failed.
06/25/2015 - ZDI wrote to Persistent requesting contact, but there was no reply.
07/09/2015 - ZDI wrote to Persistent requesting contact, but there is no reply to date.

-- Mitigation:

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.

-- Vendor Mitigation:

Guidelines to secure the remote notify feature:
https://support.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features


DISCLOSURE TIMELINE
  • 2015-05-28 - Case submitted to the ZDI
  • 2015-07-20 - Public release of advisory
CREDIT Juan Vazquez, Rapid7, Inc.
BACK TO ADVISORIES