HP fixed a flaw found in the HP Touchpoint Analytics software, which has been installed by default in most HP Windows computers, that enables attackers to escalate privileges by using SYSTEM privileges.
HP TouchPoint Analytics comes in the form of a Windows service running on high-level’ NT AUTHORITY / SYSTEM’privileges pre-installed on most HP computers and configured to anonymously collect hardware quality diagnostic information.
The vulnerability to local privilege escalation (LPE) monitored as CVE-2019-6333 could be found in HP’s monitoring application library Open Hardware Monitor.
CVE-2019-6333 permits potential attackers to use system-level permissions to execute malicious payloads and to escape anti-malware detection by bypassing whitelisting programs, which is a common method for the prevention of unknown or potentially harmful applications.
Such a security flaw is typically used in subsequer attacks after the target machines have already been breached so that permissions to achieve persistence can be increased and the now vulnerable network can be further jeopardized.
“HP TouchPoint Analytics can be used by most HP Windows laptops and desktops as the default monitored feature,” says SafeBreach. “The vulnerability has been fixed by HP, but SafeBreach researchers believe that any device using Open Hardware Library is at risk.”
Arbitrary DLL charging unsigned
The security researcher Peleg Hadar found and reported to HP from SafeBreach Labs on July 4 impacts all versions of HP Touchpoint Analytics Server less than 22.214.171.12427.
Hadar says the safety issue is caused by an uncontrolled search route and by the lack of safe DLL loading caused by failure to validate if the loaded DLLs are signated with electronic certificates.
The researcher noticed that HP Touchpoint Analytics, which provides high-permission access to the computer’s hardware, loads a third-party library signed Open Hardware Monitor and three missing DLLs called atiadlxx.dll, atiadlxy.dll, and Nvapi64.dll from Windows PATH directories.
The open source library can be used for tracking temperatures, fan speeds, voltages, clock and load sensors and for “ten of millions of PCs use Open Hardware Monitor, like HP Touchpoint Analytics as part of monitoring systems,” says SafeBreach.
Then Hadar found that the system checked the C:/python27 file, a folder with an access control list (acl) that provides write privileges to an authenticated user and executes the program with NT AUTHORITY\SYSTEM.
Loading unsigned DLLs
This allowed Hadar to increase the permissions of its own unsigned DLLs after it was loaded as a regular user and the end result was that it could execute code through a system that was digitally signed by HP, a Microsoft approved provider.
“Some potential attacks may result from exploiting this vulnerability, which enables attackers to load and carry out malicious payloads using a signed network, effectively listing those applications,” says SafeBreach.
“An attacker can exploit this capability for’ Application Whitelisting Bypass’ and’ Signature Validation Bypassing’ in order to name two.” More information on the discovery process behind the CVE-2019-6333 privilege escalation vulnerability and the disclosure schedule are given in Peleg Hadar analyzes.
Privilege escalation flaw patched
HP fixed this vulnerability in October 4, following a vulnerability revealed report sent by Hadar on July 4, when HP Touchpoint Analytics Client released version 126.96.36.19927.
A potential security vulnerability has been identified with certain versions of HP Touchpoint Analytics prior to version 188.8.131.5227. This vulnerability may allow a local attacker with administrative privileges to execute arbitrary code via an HP Touchpoint Analytics system service. – HP
As part of this security warning, HP has released guidelines for identifying if a system is vulnerable and required remediation measures.
“These vulnerabilities are disturbing as they demonstrate the ease with which malicious hackers can target our technology infrastructure by assaulting and breaking highly trusted components,” said SafeBreach CTO and Co-Founder Itzik Kotler.