CVE-2017-2802
An exploitable dll hijacking vulnerability exists in the poaService.exe service component of the Dell Precision Optimizer software version 3.5.5.0. A specifically named malicious dll file located in one of directories pointed to by the PATH environment variable will lead to privilege escalation. An attacker with local access to vulnerable system can exploit this vulnerability.
Dell Precision Tower 5810 with nvidia graphic cards. PPO Policy Processing Engine - FileVersion : 3.5.5.0 ati.dll ( PPO Monitoring Plugin ) - FileVersion : 3.5.5.0
7.1 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
This vulnerability is present in the Dell Precision Optimizer application service which is pre-installed on, e.g., a Dell Precision Tower 5810 with Windows. Part of official application description : “”” Don’t waste hours manually setting up your Workstation to get the best possible Independent Software Vendor (ISV) application performance. With Dell Precision Optimizer, an automated tool included on every Precision Workstation at no additional cost, your Workstation can be set up at the touch of the button, letting you get on with your pressing projects “”” Dll Hijacking vulnerability affecting this service leads to local privilege escalation.
During the start of the `Dell PPO Service` service:
`c:\Program Files\Dell\PPO\poaService.exe`
it loads `c:\Program Files\Dell\PPO\ati.dll`. This DLL in turn tries to load `atiadlxx.dll` which is not available in the application's installation directory by default.
Here is the call stack showing the call to `LoadLibrary` by ati.dll trying to load `atiadlxx.dll`:
Frame Module Location Address Path
0 fltmgr.sys FltAcquirePushLockShared + 0x907 0xfffff88001974067 C:\Windows\system32\drivers\fltmgr.sys
1 fltmgr.sys FltIsCallbackDataDirty + 0x20ba 0xfffff880019769aa C:\Windows\system32\drivers\fltmgr.sys
2 fltmgr.sys FltReadFile + 0x10363 0xfffff880019942a3 C:\Windows\system32\drivers\fltmgr.sys
3 ntoskrnl.exe MmCreateSection + 0x2d2b 0xfffff800033866cb C:\Windows\system32\ntoskrnl.exe
4 ntoskrnl.exe SeQueryInformationToken + 0xe3e 0xfffff800033821ee C:\Windows\system32\ntoskrnl.exe
5 ntoskrnl.exe ObOpenObjectByName + 0x306 0xfffff80003382cd6 C:\Windows\system32\ntoskrnl.exe
6 ntoskrnl.exe NtOpenProcessTokenEx + 0x326 0xfffff8000335f406 C:\Windows\system32\ntoskrnl.exe
7 ntoskrnl.exe KeSynchronizeExecution + 0x3a23 0xfffff8000307f6d3 C:\Windows\system32\ntoskrnl.exe
8 ntdll.dll ZwQueryAttributesFile + 0xa 0x775ebf0a C:\Windows\System32\ntdll.dll
9 ntdll.dll TpAllocTimer + 0x46c 0x775d64dc C:\Windows\System32\ntdll.dll
10 ntdll.dll RtlCopyUnicodeString + 0x7d7 0x775e5027 C:\Windows\System32\ntdll.dll
11 ntdll.dll RtlSubAuthorityCountSid + 0x94 0x775cee04 C:\Windows\System32\ntdll.dll
12 ntdll.dll LdrLoadDll + 0x1c3 0x775c5da3 C:\Windows\System32\ntdll.dll
13 ntdll.dll LdrLoadDll + 0x3ef 0x775c5fcf C:\Windows\System32\ntdll.dll
14 KernelBase.dll TlsGetValue + 0x4756 0x7fefd570176 C:\Windows\System32\KernelBase.dll
15 ati.dll ati.dll + 0x103f 0x7feefa9103f C:\Program Files\Dell\PPO\ati.dll
16 ati.dll MPI_Open + 0x2a 0x7feefa9362a C:\Program Files\Dell\PPO\ati.dll
17 monEngine.dll monEngine.dll + 0x1251 0x7feefb91251 C:\Program Files\Dell\PPO\monEngine.dll
18 monEngine.dll monEngine.dll + 0x15cf 0x7feefb915cf C:\Program Files\Dell\PPO\monEngine.dll
19 monEngine.dll Mon_Engine_Initialize + 0x12 0x7feefb91922 C:\Program Files\Dell\PPO\monEngine.dll
20 poaService.exe poaService.exe + 0x1ee6c 0x13f47ee6c C:\Program Files\Dell\PPO\poaService.exe
21 poaService.exe poaService.exe + 0x1f39f 0x13f47f39f C:\Program Files\Dell\PPO\poaService.exe
22 poaService.exe poaService.exe + 0x235f3 0x13f4835f3 C:\Program Files\Dell\PPO\poaService.exe
23 sechost.dll RegisterServiceCtrlHandlerExA + 0x269 0x7fefee0a82d C:\Windows\System32\sechost.dll
24 kernel32.dll BaseThreadInitThunk + 0xd 0x773959cd C:\Windows\System32\kernel32.dll
25 ntdll.dll RtlUserThreadStart + 0x21 0x775ca2e1 C:\Windows\System32\ntdll.dll
The absence of the atiadlxx.dll, forces the system to search for this DLL in directories pointed to by the PATH environment variable, which gives attackers the possibility to put a malicious DLL in one of the directories to which they have write permissions. The digital signature of the DLL is not checked before it is loaded.
As a result, malicious code is loaded into the poaService.exe service, which leads to local privilege escalation.
2016-12-01 - Vendor Disclosure
2017-06-30 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.