(0Day) Hewlett-Packard Client Automation Agent Stack Based Buffer Overflow Remote Code Execution Vulnerability
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Client Automation. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Hewlett-Packard Client Automation agent. An attacker can send a large buffer of data to the agent which will cause a stack buffer overflow. An attacker can leverage this vulnerability to execute code under the context of the SYSTEM.
Additional Details
This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.
05/28/2015 - ZDI sent the report to HP SSRT (believing the product was licensed to or by HP).
06/15/2015 - HP SSRT replied to ZDI that ZDI should contact Persistent Systems about any reports concerning the product.
06/15/2015 - ZDI asked HP SSRT for a contact.
06/15/2015 - HP SSRT advised ZDI that they had tried their known contacts and failed.
06/25/2015 - ZDI wrote to Persistent requesting contact, but there was no reply.
07/09/2015 - ZDI wrote to Persistent requesting contact, but there is no reply to date.
-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.
-- Vendor Mitigation:
Guidelines to secure the remote notify feature:
https://support.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features
Disclosure Timeline
- 2015-05-28 - Vulnerability reported to vendor
- 2015-07-20 - Coordinated public release of advisory
Credit
Juan Vazquez, Rapid7, Inc.