{"id":2727,"date":"2017-04-26T07:58:56","date_gmt":"2017-04-26T05:58:56","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=2727"},"modified":"2024-10-05T18:57:38","modified_gmt":"2024-10-05T16:57:38","slug":"security-risk-oem-bloatware-portrait-display-pdiservice-exe","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/04\/26\/security-risk-oem-bloatware-portrait-display-pdiservice-exe\/","title":{"rendered":"Security risk OEM bloatware Portrait Display (PdiService.exe)"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"http:\/\/www.borncity.com\/blog\/2017\/04\/26\/oem-bloatware-pdiservice-exe-als-sicherheitsrisiko-auf-notebooks\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]A from OEM's (HP, PHILIPS, FUJITSU) on Windows notebooks preinstalled application bears a huge security risk. A vulnerability allows a local authenticated (non-privileged) attacker to run arbitrary code with SYSTEM privileges. Millions of devices are affected by this bloatware. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/3dd23abe211d4da89e3f9868c3d3d379\" width=\"1\" height=\"1\">The topic isn't new, I've addressed several security issues caused by preinstalled OEM software within my German blog. Overall, preinstalled OEM software is a potential security risk. Currently, a Display SDK service, developed from Portrait Displays Inc., causes such a security risk. The service is used to change some screen settings on notebook and the SDK program <em>PdiService.exe <\/em>is shipped from many OEM's on Windows notebooks. The program comes with different brand names, Fujitsu is calling it DisplayView Click. <\/p>\n<p>While the program seems to make sense (change some screen settings), it's bloatware, that's causing a major security risk. Austrian security specialists from sec.consult.com has documented it <a href=\"https:\/\/www.sec-consult.com\/de\/Vulnerability-Lab\/Advisories.htm#a220\" target=\"_blank\" rel=\"noopener\">here<\/a>. But also US CERT has issued a warning <a href=\"http:\/\/www.kb.cert.org\/vuls\/id\/219739\" target=\"_blank\" rel=\"noopener\">VU#219739<\/a> about the vulnerability. <\/p>\n<blockquote>\n<h3>Vulnerability Note VU#219739<\/h3>\n<h4>Portrait Displays SDK applications are vulnerable to arbitrary code execution and privilege escalation<\/h4>\n<p>A number of applications developed using the Portrait Displays SDK do not use secure permissions when running. These applications run the component <em>PdiService.exe <\/em>with NT AUTHORITY\/SYSTEM permissions. This component is also read\/writable by all Authenticated Users. This allows local authenticated attackers to run arbitrary code with SYSTEM privileges.<\/p>\n<\/blockquote>\n<p>The command:  <\/p>\n<p><em>sc.exe config <em>pdiService.exe binpath \"mc.exe \u2013nv \u2013l 127.0.0.1 \u2013p4242 \u2013p c:\\Windows\\System32\\cmd.exe |out-null<\/em><\/em><\/p>\n<p>issued in an administrative command prompt window allows a local authenticated (non-privileged) attacker can run arbitrary code with SYSTEM privileges. The command uses the UAC bypassing trick, I've mentioned within my blog post <a href=\"https:\/\/borncity.com\/win\/2017\/01\/07\/windows-uac-opens-hidden-in-background\/\">Windows: UAC opens hidden in background<\/a>.<\/p>\n<h3>Affected applications and fixes<\/h3>\n<p>The following applications have been identified by Portrait Displays as affected:<\/p>\n<ul>\n<li>Fujitsu DisplayView Click: Version 6.0 and 6.01<br \/>The issue was fixed in Version 6.3\n<li>Fujitsu DisplayView Click Suite: Version 5<br \/>The issue is addressed by patch in Version 5.9\n<li>HP Display Assistant: Version 2.1<br \/>The issue was fixed in Version 2.11\n<li>HP My Display: Version 2.0<br \/>The issue was fixed in Version 2.1\n<li>Philips Smart Control Premium: Versions 2.23, 2.25<br \/>The issue was fixed in Version 2.26 <\/li>\n<\/ul>\n<p>Portrait Displays has provided patch for affected applications. Ensure, that the affected applications are updated to the most recent versions. Another fix is to restrict the rights for <em>PdiService.exe <\/em>using the command:<\/p>\n<p>sc sdset pdiservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)<br \/>(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)<\/p>\n<p>within an administrative command prompt window. It's another example, where OEM software is causing serious issues. <\/p>\n<p><strong>Similar articles:<br \/><\/strong><a href=\"https:\/\/borncity.com\/win\/2017\/01\/07\/windows-uac-opens-hidden-in-background\/\">Windows: UAC opens hidden in background<\/a><br \/><a href=\"https:\/\/web.archive.org\/web\/20230323134905\/https:\/\/borncity.com\/win\/2016\/09\/12\/pup-avira-adds-aviara-launcher-to-paid-version\/\">PUP: AVIRA adds Aviara Launcher to paid version<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2017\/04\/19\/windows-10-v-1703-how-to-disable-windows-security-center\/\">Windows 10 V 1703: How to disable Windows Defender\/Security Center<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2017\/02\/12\/microsofts-obscure-self-service-for-mobile-office-activation\/\">Microsoft's obscure 'Self Service for Mobile' Office activation<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2015\/08\/24\/windows10-upgrade-on-screen-keyboardtouchscreen-fix\/\">Windows 10 upgrade: On-Screen-Keyboard\/Touchscreen fix<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A from OEM's (HP, PHILIPS, FUJITSU) on Windows notebooks preinstalled application bears a huge security risk. A vulnerability allows a local authenticated (non-privileged) attacker to run arbitrary code with SYSTEM privileges. Millions of devices are affected by this bloatware.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[795,444,796,794,471,69,194],"class_list":["post-2727","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-notebooks","tag-oem","tag-pdiservice-exe","tag-portrait-display","tag-sdk","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/2727","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=2727"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/2727\/revisions"}],"predecessor-version":[{"id":35664,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/2727\/revisions\/35664"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=2727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=2727"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=2727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}