mailing list archives
[GOODFELLAS - VULN] hpqxml.dll 18.104.22.168 from HP Digital Imaging Arbitary Data Write.
From: "Goodfellas SRT" <goodfellas () shellcode com ar>
Date: Thu, 28 Jun 2007 01:20:21 +0200
:. GOODFELLAS Security Research TEAM .:
:. http://goodfellas.shellcode.com.ar .:
hpqxml.dll 22.214.171.124 from HP Digital Imaging Arbitary Data Write
Internal ID: VULWAR200706275.
hpqxml.dll is a library included in the HP Photo Digital Imaging
software package from the HP Company. http://www.hp.com.
- Windows XP SP2 english/french with IE 6.0 / 7.0.
- Windows vista Professional English/French SP1 with IE 7.0
The saveXMLAsFile method doesn't check if it is being called from the
or from a malicious user.
The vulnerability is due to an error in the saveXMLAsFile method that
local files insecurely, which could allow malicious users to write
data to any file on a vulnerable system. Besides, the method does not
file headers before writing.
- Activate the Kill bit zero in
- Unregister hpqxml.dll using regsvr32.
June 27, 2007 -- Bug discovery.
June 27, 2007 -- Bug published.
* Brian Mariani <bmariani () shellcode com ar
* GoodFellas Security Research Team <goodfellas.shellcode.com.ar>
saveXMLAsFile method receives a filename as an argument, with this format
Proof of Concept
<title>Hpqxml.dll 126.96.36.199 HP Digital Imaging Arbitary Data Write</title>
<h3>Hpqxml.dll 188.8.131.52 HP Digital Imaging Arbitary Data Write</h3><br>
<object classid='clsid:9C0A0321-B328-466C-8ECA-B9A5522466D3' id='target'
<input language=VBScript onclick=HP() type=button value="Proof of
<script language = 'vbscript'>
filename = "C:\NTDETECT_.COM"
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- [GOODFELLAS - VULN] hpqxml.dll 184.108.40.206 from HP Digital Imaging Arbitary Data Write. Goodfellas SRT (Jun 27)