The researcher says that the tool used on machines running Windows 7, Windows 8, and Windows 10 is vulnerable to ten different problems, including five local privilege escalation vulnerabilities, two arbitrary file deletion errors, and three remote arbitrary code execution errors.
So, the researcher discovered that an attacker could, for example, put his own malicious binary into certain folders in the system partition and execute it using a signed HP process with system privileges. In the case of meta, the downloaded file will be executed even if the signature verification fails, and the attacker can run the executable file with the decryption argument to record malicious useful data anywhere in the system.
Demirkapi also writes that the attacker is able to use two simple exploits to delete any file on the victim’s computer in the context of the privileged HP process. And the HP Download and Install Assistant binary can be used to remotely execute code. To do this, the attacker will have to force the victim to go to the malicious site, and also force the program to download the DLL or “feed” it digital certificates of fake companies whose names contain the words “HP” or “Hewlett Packard”.
Examples of attacks can be seen below.
HP engineers partially corrected the bugs discovered by the specialist in December 2019, after receiving the initial report dated October. Another patch was released recently, in March 2020, after a researcher sent an updated report to the company in January. With the second patch, one of the shortcomings, which was initially left without correction, was also fixed, as well as another bug that was discovered after.
It is important that HP still failed to eliminate three of the local privilege escalation vulnerabilities, which means that even the user has the latest version of HP Support Assistant installed, he is still at risk. In order to fully protect themselves, users are strongly advised to remove the HP Support Assistant, as well as the HP Support Solutions Framework from their device.