HP Touchpoint Analytics Opens PCs to Code Execution Attack

The vulnerability stems from an issue with DLL loading in Open Source Hardware, used by tens of millions of computers, researchers say.

A security flaw, discovered in an open-source software program that is a key component of HP’s TouchPoint Analytics service, is opening up a wide swath of HP computers to attack. The vulnerability, if exploited by local attackers with administrative privileges, can allow them to execute arbitrary code on victim systems.

The affected software, Open Hardware Monitor, monitors temperature sensors, fan speeds, voltages, load and clock speeds of a computer. It is utilized by tens of millions of computers and is a key third-party component of HP Touchpoint Analytics, said researchers with SafeBreach Labs, who discovered the flaw.

HP TouchPoint Analytics is a service that anonymously collects diagnostic information about hardware performance. The service is pre-installed on most HP PCs, meaning the flaw has a wide attack surface, said researchers.

“A number of potential attacks could result from exploiting this vulnerability giving  attackers the ability to load and execute malicious payloads using a signed service, effectively whitelisting those applications,” said Peleg Hadar, security researcher with SafeBreach Labs in a Thursday advisory.

The vulnerability (CVE-2019-6333) has a CVSS score of 6.7 out of 10.0, which translates to medium severity. However researchers say that they view the flaw as critical. Under a post-infection scenario an adversary could use the flaw to surreptitiously carry out attacks.

“It’s important to keep perspective here, we’re not claiming this is a critical issue from a measurement standpoint of view,” Itzik Kotler, co-founder and CTO at SafeBreach, told Threatpost. “We’re using the term loosely in a marketing context. [We’re] aware this vulnerability and the existing condition required to exploit it are not trivial/end of the world.”

The main attack vector is DLL hijacking, a way for attackers to execute unexpected code on machines.

DLL (Dynamic Link Library) is a file that contains a library of functions, which can be accessed and uploaded to a program. DLL hijacking is launched if attackers can get a file on machines (by social engineering or local access). That file could be executed when the user runs an application that is vulnerable to DLL hijacking.

In this situation, Open Hardware Monitor does not properly check DLLs before loading them.

“In order to leverage this vulnerability, the attacker needs to drop a file to a certain folder. In some cases the attacker won’t need to be an Administrator and in some cases he will need admin privileges,” Peleg told Threatpost.

Once Open Hardware Monitor is loaded, it launches a third-party library (OpenHardwareMonitorLib.dll). This library has the ability to collect data from different hardware sources. However, researchers found that the service loaded unmanaged DLL files without verifying if they are safe or not.

“The library tried to load the mentioned unmanaged DLL files using DllImportAttribute,” said researchers. “The problem is that it used only the filename of the DLL, instead of an absolute path… And no digital certificate validation is made against the binary. The program doesn’t validate whether the DLL that it is loading is signed. Therefore, it can load an arbitrary unsigned DLL.”

That could allow attackers to load arbitrary DLLs through Open Hardware Monitor and, because the service is pre-installed on HP Touchpoint Analytics, which has the highest level of persmissions on HP PCs (NT AUTHORITY\SYSTEM), code can be executed onto the systems.

Once abused, the vulnerability could allow an attacker to launch an array of other malicious activities.

“The capability for ‘Application Whitelisting Bypass’ and ‘Signature Validation Bypassing’ might be abused by an attacker for different purposes such as execution and evasion, to name two,” researchers said. “Using Open Hardware Monitor’s driver, which has the highest level of privileges in the operating system, an attacker can exploit this vulnerability and will be able to read and write to hardware memory.”

The flaw was first reported to HP on July 4 and on Oct. 4, HP published a security advisory for the flaw. On Thursday, SafeBreach Labs researchers published public details of the vulnerability.

HP did not respond to a request for comment from Threatpost.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles