A security researcher discovered multiple vulnerabilities in HP Support Assistant, a utility pre-installed on all HP computers sold after October 2012.
Pre-loaded on computers running Windows 7, Windows 8, and Windows 10, the tool was found to be impacted by ten vulnerabilities, including five local privilege escalation flaws, two arbitrary file deletion bugs, and three remote code execution bugs.
When launched, the utility starts hosting a “service interface” that exposes over 250 different functions to the client. The contract interface is exposed to the local system and clients connect to it through a specific pipe, security researcher Bill Demirkapi explains.
A series of checks are performed to validate client connections to the interface, so as to finally allow the client to call certain protected methods. While there are mitigations in place, HP Support Assistant is insecure by design, the researcher says.
“This is because core components, such as the HP Web Product Detection rely on access to the service and run in an unprivileged context. The fact is, the current way the HP Service is designed, the service must be able to receive messages from unprivileged processes. There will always be a way to talk to the service as long as unprivileged processes are able to talk to the service,” the researcher notes.
The researcher discovered that an attacker could, for example, place their own malicious binary in specific folders on the system partition and have it executed by HP’s signed process with system privileges, that a downloaded file would be executed even if a signature verification failed, and that an attacker could start an executable with the decrypt argument to write malicious payloads anywhere on the system.
Moreover, the researcher discovered that an attacker could employ two simple methods to delete any file on the machine, in the context of HP’s privileged process.
Furthermore, Demirkapi found that the “HP Download and Install Assistant” binary could be abused to achieve remote code execution. For that, an attacker would have to trick the victim into visiting a malicious site, trick the program into downloading a DLL, or to get digital certificates for fake companies that contain “HP” or “Hewlett Packard” in their names.
The researcher disclosed all vulnerabilities to HP in a responsible manner, and the company rolled out patches, but it seems that it failed to address all of the identified issues. In fact, the initial patches that were rolled out for the reported vulnerabilities introduced new flaws, the researcher says. The computer maker delivered new fixes in late March.
According to Demirkapi, users can mitigate the security risks posed by HP’s utility by completely removing it from their computers.
“This may not be an option for everyone, especially if you rely on the updating functionality the software provides, however, removing the software ensures that you’re safe from any other vulnerabilities that may exist in the application,” the researcher says.
Updating the application to the latest version is also an option, but it still means that three local escalation of privilege flaws remain unpatched, Demirkapi concludes.
Related: Flaw in HP Touchpoint Analytics Could Impact Many PCs
Related: Millions of Devices Exposed to Attacks Due to Flaw in PC-Doctor Software
Related: Dell Patches Vulnerability in Pre-installed SupportAssist Utility
