Talos Vulnerability Report

TALOS-2016-0247

Dell Precision Optimizer Local Privilege Escalation Vulnerability

June 30, 2017
CVE Number

CVE-2017-2802

Summary

An exploitable dll hijacking vulnerability exists in the poaService.exe service component of the Dell Precision Optimizer software version 3.5.5.0. A specifically named malicious dll file located in one of directories pointed to by the PATH environment variable will lead to privilege escalation. An attacker with local access to vulnerable system can exploit this vulnerability.

Tested Versions

Dell Precision Tower 5810 with nvidia graphic cards. PPO Policy Processing Engine - FileVersion : 3.5.5.0 ati.dll ( PPO Monitoring Plugin ) - FileVersion : 3.5.5.0

Product URLs

http://www.dell.com/optimizer

CVSSv3 Score

7.1 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

This vulnerability is present in the Dell Precision Optimizer application service which is pre-installed on, e.g., a Dell Precision Tower 5810 with Windows. Part of official application description :

"""
Don’t waste hours manually setting up your Workstation to get the best possible Independent Software Vendor (ISV) application performance. 
With Dell Precision Optimizer, an automated tool included on every Precision Workstation at no additional cost, your Workstation can be set up at the touch of the button, 
letting you get on with your pressing projects
"""
Dll Hijacking vulnerability affecting this service leads to local privilege escalation. 

    During the start of the `Dell PPO Service` service:
        `c:\Program Files\Dell\PPO\poaService.exe`      
    it loads `c:\Program Files\Dell\PPO\ati.dll`. This DLL in turn tries to load `atiadlxx.dll` which is not available in the application's installation directory by default.
    Here is the call stack showing the call to `LoadLibrary` by ati.dll trying to load `atiadlxx.dll`:

        Frame   Module  Location    Address Path
        0   fltmgr.sys  FltAcquirePushLockShared + 0x907    0xfffff88001974067  C:\Windows\system32\drivers\fltmgr.sys
        1   fltmgr.sys  FltIsCallbackDataDirty + 0x20ba 0xfffff880019769aa  C:\Windows\system32\drivers\fltmgr.sys
        2   fltmgr.sys  FltReadFile + 0x10363   0xfffff880019942a3  C:\Windows\system32\drivers\fltmgr.sys
        3   ntoskrnl.exe    MmCreateSection + 0x2d2b    0xfffff800033866cb  C:\Windows\system32\ntoskrnl.exe
        4   ntoskrnl.exe    SeQueryInformationToken + 0xe3e 0xfffff800033821ee  C:\Windows\system32\ntoskrnl.exe
        5   ntoskrnl.exe    ObOpenObjectByName + 0x306  0xfffff80003382cd6  C:\Windows\system32\ntoskrnl.exe
        6   ntoskrnl.exe    NtOpenProcessTokenEx + 0x326    0xfffff8000335f406  C:\Windows\system32\ntoskrnl.exe
        7   ntoskrnl.exe    KeSynchronizeExecution + 0x3a23 0xfffff8000307f6d3  C:\Windows\system32\ntoskrnl.exe
        8   ntdll.dll   ZwQueryAttributesFile + 0xa 0x775ebf0a  C:\Windows\System32\ntdll.dll
        9   ntdll.dll   TpAllocTimer + 0x46c    0x775d64dc  C:\Windows\System32\ntdll.dll
        10  ntdll.dll   RtlCopyUnicodeString + 0x7d7    0x775e5027  C:\Windows\System32\ntdll.dll
        11  ntdll.dll   RtlSubAuthorityCountSid + 0x94  0x775cee04  C:\Windows\System32\ntdll.dll
        12  ntdll.dll   LdrLoadDll + 0x1c3  0x775c5da3  C:\Windows\System32\ntdll.dll
        13  ntdll.dll   LdrLoadDll + 0x3ef  0x775c5fcf  C:\Windows\System32\ntdll.dll
        14  KernelBase.dll  TlsGetValue + 0x4756    0x7fefd570176   C:\Windows\System32\KernelBase.dll
        15  ati.dll ati.dll + 0x103f    0x7feefa9103f   C:\Program Files\Dell\PPO\ati.dll
        16  ati.dll MPI_Open + 0x2a 0x7feefa9362a   C:\Program Files\Dell\PPO\ati.dll
        17  monEngine.dll   monEngine.dll + 0x1251  0x7feefb91251   C:\Program Files\Dell\PPO\monEngine.dll
        18  monEngine.dll   monEngine.dll + 0x15cf  0x7feefb915cf   C:\Program Files\Dell\PPO\monEngine.dll
        19  monEngine.dll   Mon_Engine_Initialize + 0x12    0x7feefb91922   C:\Program Files\Dell\PPO\monEngine.dll
        20  poaService.exe  poaService.exe + 0x1ee6c    0x13f47ee6c C:\Program Files\Dell\PPO\poaService.exe
        21  poaService.exe  poaService.exe + 0x1f39f    0x13f47f39f C:\Program Files\Dell\PPO\poaService.exe
        22  poaService.exe  poaService.exe + 0x235f3    0x13f4835f3 C:\Program Files\Dell\PPO\poaService.exe
        23  sechost.dll RegisterServiceCtrlHandlerExA + 0x269   0x7fefee0a82d   C:\Windows\System32\sechost.dll
        24  kernel32.dll    BaseThreadInitThunk + 0xd   0x773959cd  C:\Windows\System32\kernel32.dll
        25  ntdll.dll   RtlUserThreadStart + 0x21   0x775ca2e1  C:\Windows\System32\ntdll.dll

The absence of the atiadlxx.dll, forces the system to search for this DLL in directories pointed to by the PATH environment variable, which gives attackers the possibility to put a malicious DLL in one of the directories to which they have write permissions. The digital signature of the DLL is not checked before it is loaded. As a result, malicious code is loaded into the poaService.exe service, which leads to local privilege escalation.

Timeline

2016-12-01 - Vendor Disclosure
2017-06-30 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.