Written by: Stewart Olson
Nth Generation Security Consultant
On May 11th, German researcher, Thorsten Schroeder, reported discovery of an audio driver on HP laptops which intercepts keystrokes. The purpose for the keylogging is intended to catch when certain special keys are pressed to trigger audio events such as “volume up,” “mute,” and so on. However, poor design and implementation, presumably by the Conexant developers, means that all keystrokes are either broadcasted through a debugging interface, or written to a log file in a public directory on disk. This post provides information about the risk and a script to scan your environment.
The driver and program is named MicTray.exe or MicTray64.exe, has been shipped on HP computers, and has been available on HP’s website since that time. The application has since been updated in an update pushed via the Windows Update mechanism; we recommend approving and deploying out the new update as soon as possible.
Nth Generation has written a PowerShell script which will scan an Active Directory Domain’s computers for the presence of the MicTray software as well as for the presence of the log file. These can manually be found by looking in the following areas:
Our script, which can be found here, provides an individual system check, or a full domain check. The rest of this post will break down the script, so it can be modified or confidently run.
What does the script do and how does it work?
The script has two modes: Single Computer or Full Domain. The modes slightly change the execution of the script.
The simplest mode is the single computer scan. In this mode, a single argument is provided to target that specific computer by IP or by name. To execute using an administrator account, run the following from the directory the script is installed in:
./Get-MicTrayData –TargetHost <Hostname>
The script then imports the ActiveDirectory module which is used to request computer information from AD. The script finds the specified computer objects and then does a “for loop” on the one system. First, the script tests if the system is online with the Test-Connection command – essentially a ping command in power shell. If the system responds, the script will attempt an SMB connection with “Test-Path” to validate if files are in the following locations:
These files indicate one of two things:
- The driver is installed
- The driver is installed and a log file is present
Either of these should trigger a check to verify if the program has been patched and to manually delete the key log file if present. In this case, one of 3 log files are generated:
The first is generated if the .exe file is detected. The second if no .exe files are detected, and the last if the system doesn’t respond to a ping.
The second mode, full domain scan, is run by executing the script without any additional parameters. It runs the same as the above with the following differences:
Installed of using the Get-ADComputer command on an individual machine, the script imports all not-disabled systems in the AD Domain. It takes this list and iterates through them, running the same process of “Check if online,” “Check if log exists,” and then “Check if exe exists.” The results of these are logged into the same 3 files as above with the hostname of the target systems.
Once complete, searching through the console output for “VULNERABLE,” or opening the MicTrayVulnerable.txt file will yield to the machines with the driver installed. This, again indicates to check that the latest patches have been installed and to clear out the log file if present.
Please try out our script and provide any feedback, questions, or comments!