[German]A from OEM’s (HP, PHILIPS, FUJITSU) on Windows notebooks preinstalled application bears a huge security risk. A vulnerability allows a local authenticated (non-privileged) attacker to run arbitrary code with SYSTEM privileges. Millions of devices are affected by this bloatware.
The topic isn’t new, I’ve addressed several security issues caused by preinstalled OEM software within my German blog. Overall, preinstalled OEM software is a potential security risk. Currently, a Display SDK service, developed from Portrait Displays Inc., causes such a security risk. The service is used to change some screen settings on notebook and the SDK program PdiService.exe is shipped from many OEM’s on Windows notebooks. The program comes with different brand names, Fujitsu is calling it DisplayView Click.
While the program seems to make sense (change some screen settings), it’s bloatware, that’s causing a major security risk. Austrian security specialists from sec.consult.com has documented it here. But also US CERT has issued a warning VU#219739 about the vulnerability.
Vulnerability Note VU#219739
Portrait Displays SDK applications are vulnerable to arbitrary code execution and privilege escalation
A number of applications developed using the Portrait Displays SDK do not use secure permissions when running. These applications run the component PdiService.exe with NT AUTHORITY/SYSTEM permissions. This component is also read/writable by all Authenticated Users. This allows local authenticated attackers to run arbitrary code with SYSTEM privileges.
sc.exe config pdiService.exe binpath “mc.exe –nv –l 127.0.0.1 –p4242 –p c:\Windows\System32\cmd.exe |out-null
issued in an administrative command prompt window allows a local authenticated (non-privileged) attacker can run arbitrary code with SYSTEM privileges. The command uses the UAC bypassing trick, I’ve mentioned within my blog post Windows: UAC opens hidden in background.
Affected applications and fixes
The following applications have been identified by Portrait Displays as affected:
- Fujitsu DisplayView Click: Version 6.0 and 6.01
The issue was fixed in Version 6.3
- Fujitsu DisplayView Click Suite: Version 5
The issue is addressed by patch in Version 5.9
- HP Display Assistant: Version 2.1
The issue was fixed in Version 2.11
- HP My Display: Version 2.0
The issue was fixed in Version 2.1
- Philips Smart Control Premium: Versions 2.23, 2.25
The issue was fixed in Version 2.26
Portrait Displays has provided patch for affected applications. Ensure, that the affected applications are updated to the most recent versions. Another fix is to restrict the rights for PdiService.exe using the command:
sc sdset pdiservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
within an administrative command prompt window. It’s another example, where OEM software is causing serious issues.
Windows: UAC opens hidden in background
PUP: AVIRA adds Aviara Launcher to paid version
Windows 10 V 1703: How to disable Windows Defender/Security Center
Microsoft’s obscure ‘Self Service for Mobile’ Office activation
Windows 10 upgrade: On-Screen-Keyboard/Touchscreen fix