[English] HP Conexant Keylogger! Urgent!

Publié le 22/05/2017 par Red Kaffe

Some HP laptops are vulnerable due to a now known bug that has an enormous security fail:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8360

In simple words, Conexant the sound driver in the machines, keeps track of all the keystrokes in a text file named: MicTray.log

keyloggerhp

This file contains all the keystrokes that the user typed… It only takes to transcribe the key code to read it. You can find the codes that matches the keys here:

https://msdn.microsoft.com/fr-fr/library/windows/desktop/dd375731(v=vs.85).aspx

Example:

sample_conexant

and:

clip_image005

Here, the affected laptops:

  • § HP EliteBook 820 G3 Notebook PC
  • § HP EliteBook 828 G3 Notebook PC
  • § HP EliteBook 840 G3 Notebook PC
  • § HP EliteBook 848 G3 Notebook PC
  • § HP EliteBook 850 G3 Notebook PC
  • § HP ProBook 640 G2 Notebook PC
  • § HP ProBook 650 G2 Notebook PC
  • § HP ProBook 645 G2 Notebook PC
  • § HP ProBook 655 G2 Notebook PC
  • § HP ProBook 450 G3 Notebook PC
  • § HP ProBook 430 G3 Notebook PC
  • § HP ProBook 440 G3 Notebook PC
  • § HP ProBook 446 G3 Notebook PC
  • § HP ProBook 470 G3 Notebook PC
  • § HP ProBook 455 G3 Notebook PC
  • § HP EliteBook 725 G3 Notebook PC
  • § HP EliteBook 745 G3 Notebook PC
  • § HP EliteBook 755 G3 Notebook PC
  • § HP EliteBook 1030 G1 Notebook PC
  • § HP ZBook 15u G3 Mobile Workstation
  • § HP Elite x2 1012 G1 Tablet
  • § HP Elite x2 1012 G1 with Travel Keyboard
  • § HP Elite x2 1012 G1 Advanced Keyboard
  • § HP EliteBook Folio 1040 G3 Notebook PC
  • § HP ZBook 17 G3 Mobile Workstation
  • § HP ZBook 15 G3 Mobile Workstation
  • § HP ZBook Studio G3 Mobile Workstation
  • § HP EliteBook Folio G1 Notebook PC

All this to say that taking advantage of this bug is as easy as it is dangerous.

HP has put at disposal a new hotfix: SP80323.exe

If your laptop appears in this list, please urgently update it!

Another way of doing it is deleting the executable, the log and all kind of automatic launch to prevent from this fail. To do so, delete MicTray.exe or MicTray64.exe, MicTray.xml or MicTray64.xml (both can be found under System32), delete the log in the Public repertoire and restart the machine!

This link will show you a PowerShell script cleaning the system!

https://github.com/jolegape/RemoveConexantKeylogger/blob/master/Remove_Conexant_Keylogger.ps1

Have a blast with this patch,

Security first!

@RioJoubert

A propos Red Kaffe

IT Trainer and Consultant on Microsoft Technologies. Windows Server and Client, Service Center 2012, WSUS/MDT/ADK/WAIK, SBS 2008/2011, Office 365, etc. Fully dedicated to support and train my customers...
Cet article a été publié dans ENGLISH, Security. Ajoutez ce permalien à vos favoris.

Votre commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Gravatar
Logo WordPress.com

Vous commentez à l’aide de votre compte WordPress.com. Déconnexion /  Changer )

Photo Google

Vous commentez à l’aide de votre compte Google. Déconnexion /  Changer )

Image Twitter

Vous commentez à l’aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l’aide de votre compte Facebook. Déconnexion /  Changer )

Annuler

Connexion à %s