Portrait Display service makes millions of HP, Fujitsu and Philips notebooks vulnerable

[Batu69]

Security researchers at Sec Consult discovered a vulnerability in Portrait Display, a software used by OEMs such as HP and Fujitsu on millions of notebooks.

Portrait Display SDK Service is used by various OEMs such as HP or Fujitsu as an on screen display that provides notebook users with options to tune displays. The core idea behind the service is to provide users with better and more direct display controls.

 

The application goes under different names, as it is rebranded usually by OEMs when it ships with company notebooks. HP customers may know it as HP Display Assistant, HP Display Control, HP My Display, or HP Mobile Display Assistant, Fujtsu customers as Fujitsu DisplayView Click, and Philips customers as Philips SmartControl.

Portrait Display service vulnerability

screenshot via Sec Consult

Security researchers of Sec Consult discovered that the PdiService's permissions give every authenticated user write access on the service, and that attackers may execute arbitrary code by changing the service's binary path. Additionally, since PdiService is executed with SYSTEM permissions, it results in privilege escalation.

 

The researchers highlight the method which they used to discover the vulnerability, and how to exploit it on the company blog.

More interesting from a user's point of view is that they offer two solutions to patch customer systems. Users may want to check the installed Services on their Windows machine to find out whether their installation is affected by the issue.

 

You can launch the Services Manager with a tap on the Windows-key, typing services.msc, and hitting the Enter-key on the keyboard.

Another option, one that may work better, is to run the command sc query pdiservice from the command line to see if it is installed on the device.

 

Portrait, the developer of the application, released an update version of the software which patches the security issue.

Affected customers may want to head over to the Portrait website to download the security patch and install it on affected devices. Simply run the downloaded file and follow the on-screen instructions to update local files so that they are no longer vulnerable to the described attack.

 

The second option is to run a command on the local system to remove the Authenticated Users group permission of the service.

1. Tap on the Windows-key, type cmd.exe, hold down Shift-key and Ctrl-key, and hit the Enter-key to launch an elevated command prompt.
2. Run the following command: sc sdset pdiservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

Closing Words

Portrait reacted quickly to the reported vulnerability, and it has released a patch already. This is not always the case when it comes to software that ships with notebooks or desktop PCs. So called bloatware is still a big issue today as it -- usually -- slows down the PC and may introduce security vulnerabilities on top of all that.

 

This is not the first time that security issues were found in OEM software. Last year, it was discovered that OEM update programs put PCs at risk as well.

My suggestion is, usually, to remove bloatware either manually, or by running programs such as Decrap or PC Decrapifier. (via Born)

 

Article source