Pierluigi Paganini October 11, 2019

SafeBreach experts discovered that the HP Touchpoint Analytics service is affected by a potentially serious vulnerability.

Security researchers at SafeBreach have discovered that the HP Touchpoint Analytics service is affected by a serious flaw tracked as CVE-2019-6333. The vulnerability received a CVSS score of 6.7 (medium severity).

The TouchPoint Analytics is a service that allows the vendor to anonymously collect diagnostic data about hardware performance, it comes pre-installed on most HP PCs.

The service is based on the open-source tool Open Hardware Monitor and it is executed as “NT AUTHORITY\SYSTEM.”

The experts noticed that when the service is started, it attempts to load three missing DLL files. An attacker with administrative privileges on the targeted system can create malicious DLLs with the names of the missing files and place them in the locations where they were expected to be to get executed when the HP service starts.

The experts pointed out that the Touchpoint Analytics service would have high-permission-level access to the PC hardware, this means that a flaw affecting the could be exploited to escalate privileges to SYSTEM and bypass security features.

“The Open Hardware Monitor library provides a signed kernel driver named “WinRing0,” which is extracted and installed during runtime.” reads the analysis published by the experts.

“As you can see, the service was trying to load three missing DLL files, which eventually were loaded from the c:\python27 directory – our PATH environment variable:

1. atiadlxx.dll
2. atiadlxy.dll
3. Nvapi64.dll“

The researchers also published a PoC code to show how to use the Open Hardware Monitor library to read and write to physical memory.

The flaw could impact tens of millions of computers running the HP Touchpoint Analytics or Open Hardware Monitor.

“A potential security vulnerability has been identified with certain versions of HP Touchpoint Analytics prior to version 4.1.4.2827.” reads the security advisory published by HP. “This vulnerability may allow a local attacker with administrative privileges to execute arbitrary code via an HP Touchpoint Analytics system service.”

The experts reported the flaw to HP in early July and it was addressed this month with the release of version 4.1.4.2827.

Pierluigi Paganini

(SecurityAffairs – Touchpoint Analytics, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]