PDQ Smart Deploy Insecure Permissions Vulnerability Allowing Arbitrary Code Execution

A vulnerability in PDQ Smart Deploy version 3.0.2040 has been identified, allowing local attackers to execute arbitrary code. This issue arises from insecure permissions in the SmartDeploy component of the Windows registry, specifically under the key HKLM\SYSTEM\Setup\SmartDeploy. Low-privileged users can exploit this vulnerability to access and decrypt sensitive credentials, such as Local Administrator or Active Directory domain accounts, which are stored in the registry or in OS deployment files on deployment servers.

Impact

Exploitation of this vulnerability could lead to unauthorized access and decryption of privileged credentials, allowing for privilege escalation on local or remote hosts.

Reproduction

The vulnerability can be reproduced by deploying an OS image using PDQ Smart Deploy version 3.0.2040, either through the SmartDeploy console or via Windows Deployment Services (WDS) integration. During the deployment, credentials are embedded in an Answer File, which is then accessed by the SmartDeploy application on the target machine. Once the OS is deployed, the registry key at HKLM\SYSTEM\Setup\SmartDeploy will contain the decrypted credentials, which can be read by low-privileged users.

Remediation

Users can upgrade to PDQ Smart Deploy version 3.0.2046, which addresses this vulnerability.