Privilege Escalation Vulnerabilities are a dime a dozen these days. But, what if an attacker could take control of an application which runs with the highest privileges? Then it’s an apocalypse! A flaw in an application running with administrator privileges has left millions of Dell PCs vulnerable.
What is Dell SupportAssist?
Dell SupportAssist is a software which comes preinstalled on all Dell PCs and can also be installed manually. According to Dell, this software was introduced to ease out the troubleshooting process on Dell devices. SupportAssist is present only for Dell devices running Windows operating system. SupportAssist can access highly sensitive information present on the hardware. The components of SupportAssist which can access this data was developed by PC Doctor.
This software is given SYSTEM level privileges for identifying and resolving hardware and software issues. SupportAssist would be an attractive target for an attacker given that it is identified as a “signed” service by Microsoft. SafeBreach discovered a vulnerability in this application.
Why is Dell SupportAssist vulnerable?
SupportAssist fails to securely handle DLLs.
SafeBreach observed that when the “Dell Hardware Support” service was started, it initially executes DSAPI.exe(Dell Hardware Support) which executes pcdrwi.exe (PC-Doctor Communications Manager). Next on the list is the execution of a bunch of PC-Doctor executables with “p5x” extension. These collect OS and hardware information for troubleshooting. The actual flaw lies here. The devil is in the details.
When this process was observed using ProcessMonitor, the PE files with “p5x” extension were loading DLL files to collect information from various resources. Three executables were trying to load files with the names LenovoInfo.dll, AlienFX.dll, atiadlxx.dll and atiadlxy.dll. A malicious DLL can be placed on a machine and renamed with LenovoInfo.dll, AlienFX.dll, atiadlxx.dll or atiadlxy.dll. It is perturbing to find out that the application still loads these malicious files and successfully executes them with SYSTEM privileges.
A utility library named Common.dll is used by the p5x modules. Analysis of this library reveals two factors that contribute to this vulnerability:
- Improper validation of the DLL to check whether it is signed or not.
- Usage of LoadLibraryW function to load modules which allows an unauthorized user to change the search order and look for DLL files only in the specified folder and not in the PATH variable.
Dell has released a fix for this vulnerability and it has been assigned CVE-2019-12280. The updates are automatically installed on PCs if automatic updates are enabled. They can also be downloaded and installed manually.
The PC Doctor component in :
- Dell SupportAssist for Business PCs version 2.0
- Dell SupportAssist for Home PCs version 3.2.1 and before
Other affected products include PC-Doctor Toolbox for Windows rebranded as CORSAIR ONE Diagnostics, CORSAIR Diagnostics, Staples EasyTech Diagnostics, Tobii I-Series Diagnostic Tool and Tobii Dynavox Diagnostic Tool.
An attacker can exploit the DLL-Injection vulnerability in SupportAssist to conduct Application Whitelisting Bypass, Signature Validation Bypass, read sensitive data or compromise the system.
Dell has released a patch to fix this vulnerability. Upgrade to :
- Dell SupportAssist for Business PCs version 2.0.1
- Dell SupportAssist for Home PCs version 3.2.2
Please refer to this KB Article.