Vulnerability in HP System Utility Could Allow DLL Substitution

HP experts have patched a dangerous bug in the Touchpoint Analytics Client application. Vulnerability in the HP system utility allowed an attacker to elevate his privileges on the target computer and execute malicious code with system rights.

SafeBreach researchers who discovered the flaw revealed the technical details of the error after the manufacturer prepared the patch.

“A potential security vulnerability has been identified with certain versions of HP Touchpoint Analytics prior to version 4.1.4.2827. This vulnerability may allow a local attacker with administrative privileges to execute arbitrary code via an HP Touchpoint Analytics system service”, — report SafeBreach researchers.

Touchpoint Analytics Client is designed to collect system performance information and is installed on most HP Windows computers.

As information security experts found out, the application uses a third-party Open Hardware Monitor library to monitor temperature, cooler rotation speed and other machine parameters. Its processes run with system rights and require the loading of several additional DLLs.

Read also: Most used HDs contain data from previous owners

Analysts found that the Open Hardware Monitor code did not specify the exact address of the location of the objects it needed. The program looks for the libraries atiadlxx.dll, atiadlxy.dll and Nvapi64.dll in the system directories, and then in the folders specified through the PATH environment variable. In addition, as the experts found out, the application does not verify the digital signature of the received files before launch.

“If one of the PATH directories on the vulnerable machine allows writing files to a regular user, an attacker with local access to the system will be able to add malicious versions of libraries to it. As a result, Open Hardware Monitor will run these DLLs with SYSTEM privileges, which opens up opportunities for a wide range of cyberattacks”, — write the researchers.

The vulnerability is registered as CVE-2019-6333 with a threat rating of 6.7 points on the CVSS scale. The bug is present in all versions of HP Touchpoint Analytics Client earlier than 4.1.4.2827. A security update that addresses the flaw appeared on the developer’s site on October 4, 2019.

Last year, HP had to urgently patch vulnerabilities in the firmware of its printers. A nine-point bug in the system software of 166 models of printing devices allowed an attacker to execute malicious code through an overflow of a stack or a static buffer. To exploit the flaw, the attacker only had to send a special file to the target printer.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment