Sign-up

ID

VAR-201201-0274


CVE

CVE-2011-4786


TITLE

HP Easy Printer Care Software Vulnerable to downloading arbitrary programs

Trust: 0.8

sources: JVNDB: JVNDB-2012-001051

DESCRIPTION

A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-2404 and CVE-2011-4787. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the XMLCacheMgr class ActiveX control (CLSID 6F255F99-6961-48DC-B17E-6E1BCCBC0EE3). The CacheDocumentXMLWithId() method is vulnerable to directory traversal and arbitrary write, which allows an attacker to write malicious content to the filesystem. A remote attacker could leverage this vulnerability to gain code execution under the context of the web browser. An attacker could exploit this issue to write arbitrary data to a local file and execute that data in the context of the application using the affected control (typically Internet Explorer). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02949847 Version: 2 HPSBPI02698 SSRT100404 rev.2 - HP Easy Printer Care Software Running on Windows, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. The vulnerability can be remotely exploited to write arbitrary files to the system and execute them via the browser. References: CVE-2011-2404 , ZDI-CAN-1092, CVE-2011-4786, ZDI-CAN-1093, CVE-2011-4787, ZDI-CAN-1117 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. This Windows software could be used in conjunction with the following Laser Jet and Color Laser Jet printer models: Laser Jet P1005 / P1006 / P1007 / P1008 Laser Jet 1010 / 1012 / 1015 Laser Jet P1102 / P1102w Laser Jet M1120 / M1120n Laser Jet Pro M1132 / M1134 / M1136 / M1137 / M1138 / M1139 Laser Jet 1150 Laser Jet 1160 Laser Jet Pro M1212nf / M1213nf / N1214nfh / M1216nfh / M1217nfw / M1219nf Laser Jet 1300 Laser Jet 1320 Laser Jet P1505 Laser Jet 2100 Laser Jet 2200 Laser Jet 2300 / 2300L Laser Jet 2410 / 2420 / 2430 Laser Jet 3015 All-in-one Laser Jet 3020/3030 All-in-one Laser Jet 3050Z All-in-one Laser Jet 3380 All-in-one Laser Jet M3035mfp Laser Jet 4000 Laser Jet 4050 Laser Jet 4100 Laser Jet 4100mfp Laser Jet 4200 / 4240 / 4250 Laser Jet 4300 / 4350 Laser Jet M4345mfp Laser Jet 4345mfp Laser Jet 5000 Laser Jet M5035mfp Laser Jet 5100 Laser Jet 5200 / Laser Jet 5200L Laser Jet 8000 Laser Jet 8000mfp Laser Jet 8100 / 8150 Laser Jet 9000 Laser Jet 9000mfp / 9000Lmfp Laser Jet 9040 / 9050 Laser Jet 9040mfp / 9050mfp / 9055mfp / 9065mfp Color Laser Jet CP 1215 / 1217 Color Laser Jet CP 1514n / 1515n / 1518ni Color Laser Jet 2500 Color Laser Jet 2550 Color Laser Jet 2820 / 2840 All-in-one Color Laser Jet 3000* Color Laser Jet 3500 / 3550 Color Laser Jet 3600 Color Laser Jet 3700 Color Laser Jet 3800* Color Laser Jet4500 Color Laser Jet 4550 Color Laser Jet 4600 / 4610 / 4650 Color Laser Jet 4700* Color Laser Jet 4730mfp* Color Laser Jet 5500 / 5550 Color Laser Jet 8500 Color Laser Jet 8550 Color Laser Jet 9500 Color Laser Jet 9500mfp BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2011-2404 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-4786 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-4787 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP Easy Printer Care Software v2.5 and earlier for Windows XP and Vista is no longer available from HP. HP Recommends this software be uninstalled from the system as soon as possible. The kill bit is set by modifying the data value of the Compatibility Flags DWORD value for the CLSID of this ActiveX control to 0x00000400. This is explained in Microsoft's article KB240797 or subsequent. http://support.microsoft.com/kb/240797 HISTORY Version:1 (rev.1) - 8 August 2011 Initial release Version:2 (rev.2) - 11 Jan 2012 Added additional ZDI issues impacted in Easy Printer Care Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk8ODhAACgkQ4B86/C0qfVm6dwCfQLt0J9NhagY3TShIE2wi8ORc N+YAoKipdhM6KpyCOvQuHtSEFXGowR5M =1Ant -----END PGP SIGNATURE----- . - -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02949847 - -- Disclosure Timeline: 2011-04-01 - Vulnerability reported to vendor 2012-01-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product

Trust: 2.79

sources: NVD: CVE-2011-4786 // JVNDB: JVNDB-2012-001051 // ZDI: ZDI-12-013 // BID: 51396 // VULHUB: VHN-52731 // PACKETSTORM: 108618 // PACKETSTORM: 108632

AFFECTED PRODUCTS

vendor:hpmodel:easy printer care softwarescope:lteversion:2.5

Trust: 1.0

vendor:hpmodel:easy printer care softwarescope:eqversion:2.5

Trust: 0.9

vendor:hewlett packardmodel:hp easy printer carescope:lteversion:2.5

Trust: 0.8

vendor:hewlett packardmodel:easy printer carescope: - version: -

Trust: 0.7

sources: ZDI: ZDI-12-013 // BID: 51396 // JVNDB: JVNDB-2012-001051 // CNNVD: CNNVD-201201-140 // NVD: CVE-2011-4786

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-4786
value: HIGH

Trust: 1.0

NVD: CVE-2011-4786
value: HIGH

Trust: 0.8

ZDI: CVE-2011-4786
value: HIGH

Trust: 0.7

CNNVD: CNNVD-201201-140
value: CRITICAL

Trust: 0.6

VULHUB: VHN-52731
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2011-4786
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2011-4786
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-52731
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: ZDI: ZDI-12-013 // VULHUB: VHN-52731 // JVNDB: JVNDB-2012-001051 // CNNVD: CNNVD-201201-140 // NVD: CVE-2011-4786

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.9

sources: VULHUB: VHN-52731 // JVNDB: JVNDB-2012-001051 // NVD: CVE-2011-4786

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 108632 // CNNVD: CNNVD-201201-140

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201201-140

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2012-001051

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-52731

PATCH
title:HPSBPI02698 SSRT100404url:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c02949847
Trust: 0.8
title:Hewlett-Packard has issued an update to correct this vulnerability.url:http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02949847
Trust: 0.7
sources:
            
            
            ZDI: ZDI-12-013 // 
            
            
            
            JVNDB: JVNDB-2012-001051

EXTERNAL IDS
db:NVDid:CVE-2011-4786
Trust: 3.7
db:ZDIid:ZDI-12-013
Trust: 1.1
db:JVNDBid:JVNDB-2012-001051
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-1093
Trust: 0.7
db:CNNVDid:CNNVD-201201-140
Trust: 0.7
db:BIDid:51396
Trust: 0.4
db:PACKETSTORMid:108632
Trust: 0.2
db:SEEBUGid:SSVID-72499
Trust: 0.1
db:PACKETSTORMid:108769
Trust: 0.1
db:EXPLOIT-DBid:18381
Trust: 0.1
db:VULHUBid:VHN-52731
Trust: 0.1
db:PACKETSTORMid:108618
Trust: 0.1
sources:
            
            
            ZDI: ZDI-12-013 // 
            
            
            
            VULHUB: VHN-52731 // 
            
            
            
            BID: 51396 // 
            
            
            
            JVNDB: JVNDB-2012-001051 // 
            
            
            
            PACKETSTORM: 108618 // 
            
            
            
            PACKETSTORM: 108632 // 
            
            
            
            CNNVD: CNNVD-201201-140 // 
            
            
            
            NVD: CVE-2011-4786

REFERENCES
url:http://archives.neohapsis.com/archives/bugtraq/2012-01/0078.html
Trust: 1.7
url:http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docdisplay/?docid=emr_na-c02949847
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4786
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4786
Trust: 0.8
url:http://h20271.www2.hp.com/smb-ap/cache/470575-0-0-190-121.html
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-12-013/
Trust: 0.3
url:http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docdisplay/?docid=emr_na-c02949847&ac.admitted=1326398703011.876444892.199480143
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2011-4786
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2011-2404
Trust: 0.1
url:http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secbullarchive/
Trust: 0.1
url:http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Trust: 0.1
url:http://support.microsoft.com/kb/240797
Trust: 0.1
url:https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docdisplay/?docid=emr_na-c02964430
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2011-4787
Trust: 0.1
url:http://www.zerodayinitiative.com/advisories/disclosure_policy/
Trust: 0.1
url:http://twitter.com/thezdi
Trust: 0.1
url:http://www.tippingpoint.com
Trust: 0.1
url:http://www.zerodayinitiative.com
Trust: 0.1
url:http://www.zerodayinitiative.com/advisories/zdi-12-013
Trust: 0.1
sources:
            
            
            ZDI: ZDI-12-013 // 
            
            
            
            VULHUB: VHN-52731 // 
            
            
            
            BID: 51396 // 
            
            
            
            JVNDB: JVNDB-2012-001051 // 
            
            
            
            PACKETSTORM: 108618 // 
            
            
            
            PACKETSTORM: 108632 // 
            
            
            
            CNNVD: CNNVD-201201-140 // 
            
            
            
            NVD: CVE-2011-4786

CREDITS
Andrea Micalizzi aka rgod
Trust: 1.0
sources:
            
            
            ZDI: ZDI-12-013 // 
            
            
            
            BID: 51396

SOURCES
db:ZDIid:ZDI-12-013
db:VULHUBid:VHN-52731
db:BIDid:51396
db:JVNDBid:JVNDB-2012-001051
db:PACKETSTORMid:108618
db:PACKETSTORMid:108632
db:CNNVDid:CNNVD-201201-140
db:NVDid:CVE-2011-4786

LAST UPDATE DATE
2025-04-11T22:03:15.114000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-12-013date:2012-01-12T00:00:00
db:VULHUBid:VHN-52731date:2019-10-09T00:00:00
db:BIDid:51396date:2012-01-18T07:10:00
db:JVNDBid:JVNDB-2012-001051date:2012-01-16T00:00:00
db:CNNVDid:CNNVD-201201-140date:2019-10-17T00:00:00
db:NVDid:CVE-2011-4786date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:ZDIid:ZDI-12-013date:2012-01-12T00:00:00
db:VULHUBid:VHN-52731date:2012-01-12T00:00:00
db:BIDid:51396date:2012-01-12T00:00:00
db:JVNDBid:JVNDB-2012-001051date:2012-01-16T00:00:00
db:PACKETSTORMid:108618date:2012-01-13T01:46:57
db:PACKETSTORMid:108632date:2012-01-13T02:07:33
db:CNNVDid:CNNVD-201201-140date:2012-01-13T00:00:00
db:NVDid:CVE-2011-4786date:2012-01-12T19:55:00.810