Talos Vulnerability Report

TALOS-2016-0247

Dell Precision Optimizer Local Privilege Escalation Vulnerability

June 30, 2017
CVE Number

CVE-2017-2802

Summary

An exploitable dll hijacking vulnerability exists in the poaService.exe service component of the Dell Precision Optimizer software version 3.5.5.0. A specifically named malicious dll file located in one of directories pointed to by the PATH environment variable will lead to privilege escalation. An attacker with local access to vulnerable system can exploit this vulnerability.

Tested Versions

Dell Precision Tower 5810 with nvidia graphic cards. PPO Policy Processing Engine - FileVersion : 3.5.5.0 ati.dll ( PPO Monitoring Plugin ) - FileVersion : 3.5.5.0

Product URLs

http://www.dell.com/optimizer

CVSSv3 Score

7.1 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

This vulnerability is present in the Dell Precision Optimizer application service which is pre-installed on, e.g., a Dell Precision Tower 5810 with Windows. Part of official application description : “”” Don’t waste hours manually setting up your Workstation to get the best possible Independent Software Vendor (ISV) application performance. With Dell Precision Optimizer, an automated tool included on every Precision Workstation at no additional cost, your Workstation can be set up at the touch of the button, letting you get on with your pressing projects “”” Dll Hijacking vulnerability affecting this service leads to local privilege escalation.

	During the start of the `Dell PPO Service` service:
		`c:\Program Files\Dell\PPO\poaService.exe`		
	it loads `c:\Program Files\Dell\PPO\ati.dll`. This DLL in turn tries to load `atiadlxx.dll` which is not available in the application's installation directory by default.
	Here is the call stack showing the call to `LoadLibrary` by ati.dll trying to load `atiadlxx.dll`:
	
		Frame	Module	Location	Address	Path
		0	fltmgr.sys	FltAcquirePushLockShared + 0x907	0xfffff88001974067	C:\Windows\system32\drivers\fltmgr.sys
		1	fltmgr.sys	FltIsCallbackDataDirty + 0x20ba	0xfffff880019769aa	C:\Windows\system32\drivers\fltmgr.sys
		2	fltmgr.sys	FltReadFile + 0x10363	0xfffff880019942a3	C:\Windows\system32\drivers\fltmgr.sys
		3	ntoskrnl.exe	MmCreateSection + 0x2d2b	0xfffff800033866cb	C:\Windows\system32\ntoskrnl.exe
		4	ntoskrnl.exe	SeQueryInformationToken + 0xe3e	0xfffff800033821ee	C:\Windows\system32\ntoskrnl.exe
		5	ntoskrnl.exe	ObOpenObjectByName + 0x306	0xfffff80003382cd6	C:\Windows\system32\ntoskrnl.exe
		6	ntoskrnl.exe	NtOpenProcessTokenEx + 0x326	0xfffff8000335f406	C:\Windows\system32\ntoskrnl.exe
		7	ntoskrnl.exe	KeSynchronizeExecution + 0x3a23	0xfffff8000307f6d3	C:\Windows\system32\ntoskrnl.exe
		8	ntdll.dll	ZwQueryAttributesFile + 0xa	0x775ebf0a	C:\Windows\System32\ntdll.dll
		9	ntdll.dll	TpAllocTimer + 0x46c	0x775d64dc	C:\Windows\System32\ntdll.dll
		10	ntdll.dll	RtlCopyUnicodeString + 0x7d7	0x775e5027	C:\Windows\System32\ntdll.dll
		11	ntdll.dll	RtlSubAuthorityCountSid + 0x94	0x775cee04	C:\Windows\System32\ntdll.dll
		12	ntdll.dll	LdrLoadDll + 0x1c3	0x775c5da3	C:\Windows\System32\ntdll.dll
		13	ntdll.dll	LdrLoadDll + 0x3ef	0x775c5fcf	C:\Windows\System32\ntdll.dll
		14	KernelBase.dll	TlsGetValue + 0x4756	0x7fefd570176	C:\Windows\System32\KernelBase.dll
		15	ati.dll	ati.dll + 0x103f	0x7feefa9103f	C:\Program Files\Dell\PPO\ati.dll
		16	ati.dll	MPI_Open + 0x2a	0x7feefa9362a	C:\Program Files\Dell\PPO\ati.dll
		17	monEngine.dll	monEngine.dll + 0x1251	0x7feefb91251	C:\Program Files\Dell\PPO\monEngine.dll
		18	monEngine.dll	monEngine.dll + 0x15cf	0x7feefb915cf	C:\Program Files\Dell\PPO\monEngine.dll
		19	monEngine.dll	Mon_Engine_Initialize + 0x12	0x7feefb91922	C:\Program Files\Dell\PPO\monEngine.dll
		20	poaService.exe	poaService.exe + 0x1ee6c	0x13f47ee6c	C:\Program Files\Dell\PPO\poaService.exe
		21	poaService.exe	poaService.exe + 0x1f39f	0x13f47f39f	C:\Program Files\Dell\PPO\poaService.exe
		22	poaService.exe	poaService.exe + 0x235f3	0x13f4835f3	C:\Program Files\Dell\PPO\poaService.exe
		23	sechost.dll	RegisterServiceCtrlHandlerExA + 0x269	0x7fefee0a82d	C:\Windows\System32\sechost.dll
		24	kernel32.dll	BaseThreadInitThunk + 0xd	0x773959cd	C:\Windows\System32\kernel32.dll
		25	ntdll.dll	RtlUserThreadStart + 0x21	0x775ca2e1	C:\Windows\System32\ntdll.dll

The absence of the atiadlxx.dll, forces the system to search for this DLL in directories pointed to by the PATH environment variable, which gives attackers the possibility to put a malicious DLL in one of the directories to which they have write permissions. The digital signature of the DLL is not checked before it is loaded. As a result, malicious code is loaded into the poaService.exe service, which leads to local privilege escalation.

Timeline

2016-12-01 - Vendor Disclosure
2017-06-30 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.