Vulnerabilities > CVE-2017-2802 - Untrusted Search Path vulnerability in Dell Precision Optimizer 3.5.5.0
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An exploitable dll hijacking vulnerability exists in the poaService.exe service component of the Dell Precision Optimizer software version 3.5.5.0. A specifically named malicious dll file located in one of directories pointed to by the PATH environment variable will lead to privilege escalation. An attacker with local access to vulnerable system can exploit this vulnerability.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging/Manipulating Configuration File Search Paths This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.
Seebug
bulletinFamily | exploit |
description | ### Summary An exploitable dll hijacking vulnerability exists in the poaService.exe service component of the Dell Precision Optimizer software version 3.5.5.0. A specifically named malicious dll file located in one of directories pointed to by the PATH environment variable will lead to privilege escalation. An attacker with local access to vulnerable system can exploit this vulnerability. ### Tested Versions Dell Precision Tower 5810 with nvidia graphic cards. PPO Policy Processing Engine - FileVersion : 3.5.5.0 ati.dll ( PPO Monitoring Plugin ) - FileVersion : 3.5.5.0 ### Product URLs http://www.dell.com/optimizer ### CVSSv3 Score 7.1 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N ### Details This vulnerability is present in the Dell Precision Optimizer application service which is pre-installed on, e.g., a Dell Precision Tower 5810 with Windows. Part of official application description : ``` """ Don’t waste hours manually setting up your Workstation to get the best possible Independent Software Vendor (ISV) application performance. With Dell Precision Optimizer, an automated tool included on every Precision Workstation at no additional cost, your Workstation can be set up at the touch of the button, letting you get on with your pressing projects """ Dll Hijacking vulnerability affecting this service leads to local privilege escalation. During the start of the `Dell PPO Service` service: `c:\Program Files\Dell\PPO\poaService.exe` it loads `c:\Program Files\Dell\PPO\ati.dll`. This DLL in turn tries to load `atiadlxx.dll` which is not available in the application's installation directory by default. Here is the call stack showing the call to `LoadLibrary` by ati.dll trying to load `atiadlxx.dll`: Frame Module Location Address Path 0 fltmgr.sys FltAcquirePushLockShared + 0x907 0xfffff88001974067 C:\Windows\system32\drivers\fltmgr.sys 1 fltmgr.sys FltIsCallbackDataDirty + 0x20ba 0xfffff880019769aa C:\Windows\system32\drivers\fltmgr.sys 2 fltmgr.sys FltReadFile + 0x10363 0xfffff880019942a3 C:\Windows\system32\drivers\fltmgr.sys 3 ntoskrnl.exe MmCreateSection + 0x2d2b 0xfffff800033866cb C:\Windows\system32\ntoskrnl.exe 4 ntoskrnl.exe SeQueryInformationToken + 0xe3e 0xfffff800033821ee C:\Windows\system32\ntoskrnl.exe 5 ntoskrnl.exe ObOpenObjectByName + 0x306 0xfffff80003382cd6 C:\Windows\system32\ntoskrnl.exe 6 ntoskrnl.exe NtOpenProcessTokenEx + 0x326 0xfffff8000335f406 C:\Windows\system32\ntoskrnl.exe 7 ntoskrnl.exe KeSynchronizeExecution + 0x3a23 0xfffff8000307f6d3 C:\Windows\system32\ntoskrnl.exe 8 ntdll.dll ZwQueryAttributesFile + 0xa 0x775ebf0a C:\Windows\System32\ntdll.dll 9 ntdll.dll TpAllocTimer + 0x46c 0x775d64dc C:\Windows\System32\ntdll.dll 10 ntdll.dll RtlCopyUnicodeString + 0x7d7 0x775e5027 C:\Windows\System32\ntdll.dll 11 ntdll.dll RtlSubAuthorityCountSid + 0x94 0x775cee04 C:\Windows\System32\ntdll.dll 12 ntdll.dll LdrLoadDll + 0x1c3 0x775c5da3 C:\Windows\System32\ntdll.dll 13 ntdll.dll LdrLoadDll + 0x3ef 0x775c5fcf C:\Windows\System32\ntdll.dll 14 KernelBase.dll TlsGetValue + 0x4756 0x7fefd570176 C:\Windows\System32\KernelBase.dll 15 ati.dll ati.dll + 0x103f 0x7feefa9103f C:\Program Files\Dell\PPO\ati.dll 16 ati.dll MPI_Open + 0x2a 0x7feefa9362a C:\Program Files\Dell\PPO\ati.dll 17 monEngine.dll monEngine.dll + 0x1251 0x7feefb91251 C:\Program Files\Dell\PPO\monEngine.dll 18 monEngine.dll monEngine.dll + 0x15cf 0x7feefb915cf C:\Program Files\Dell\PPO\monEngine.dll 19 monEngine.dll Mon_Engine_Initialize + 0x12 0x7feefb91922 C:\Program Files\Dell\PPO\monEngine.dll 20 poaService.exe poaService.exe + 0x1ee6c 0x13f47ee6c C:\Program Files\Dell\PPO\poaService.exe 21 poaService.exe poaService.exe + 0x1f39f 0x13f47f39f C:\Program Files\Dell\PPO\poaService.exe 22 poaService.exe poaService.exe + 0x235f3 0x13f4835f3 C:\Program Files\Dell\PPO\poaService.exe 23 sechost.dll RegisterServiceCtrlHandlerExA + 0x269 0x7fefee0a82d C:\Windows\System32\sechost.dll 24 kernel32.dll BaseThreadInitThunk + 0xd 0x773959cd C:\Windows\System32\kernel32.dll 25 ntdll.dll RtlUserThreadStart + 0x21 0x775ca2e1 C:\Windows\System32\ntdll.dll ``` The absence of the `atiadlxx.dll`, forces the system to search for this DLL in directories pointed to by the PATH environment variable, which gives attackers the possibility to put a malicious DLL in one of the directories to which they have write permissions. The digital signature of the DLL is not checked before it is loaded. As a result, malicious code is loaded into the `poaService.exe` service, which leads to local privilege escalation. ### Timeline * 2016-12-01 - Vendor Disclosure * 2017-06-30 - Public Release ### CREDIT * Discovered by Marcin 'Icewall' Noga of Cisco Talos. |
id | SSV:96480 |
last seen | 2017-11-19 |
modified | 2017-09-14 |
published | 2017-09-14 |
reporter | Root |
title | Dell Precision Optimizer Local Privilege Escalation Vulnerability(CVE-2017-2802) |
Talos
id | TALOS-2016-0247 |
last seen | 2019-07-18 |
published | 2017-06-30 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0247 |
title | Dell Precision Optimizer Local Privilege Escalation Vulnerability |