Dell SupportAssist Assists Attackers

Privilege Escalation Vulnerabilities are a dime a dozen these days. But what if an attacker could take control of an application that runs with the highest privileges? Then it’s an apocalypse! A flaw (Dell Support Assist Vulnerability) in an application running with administrator privileges has left millions of Dell PCs vulnerable. A Vulnerability Management System can resolve these issues.

Dell SupportAssist is software that comes preinstalled on all PCs and installation is manual. According to Dell, this software is in use to ease out the troubleshooting process on Dell devices. SupportAssist is present only for Dell devices running the Windows operating system. SupportAssist can access highly sensitive information present on the hardware. The components of SupportAssist, which can access this data, is by PC Doctor. 

This software is given SYSTEM-level privileges for identifying and resolving hardware and software issues. SupportAssist would be an attractive target for an attacker, given that it is identified as a “signed” service by Microsoft. SafeBreach discovered a vulnerability in this application. These Vulnerabilities can be prevented by using a good vulnerability management tool.

SupportAssist fails to handle DLLs securely.

SafeBreach observed that when the “Dell Hardware Support” service was started, it initially executes DSAPI.exe(Dell Hardware Support), which executes pcdrwi.exe (PC-Doctor Communications Manager). Next on the list is the execution of a bunch of PC-Doctor executables with “p5x” extension. These collect OS and hardware information for troubleshooting. The actual flaw lies here. The devil is in the details.

When this process is observing using ProcessMonitor, the PE files with the “p5x” extension were loading DLL files to collect information from various resources. Three executables were trying to load files with the names LenovoInfo.dll, AlienFX.dll, atiadlxx.dll, and atiadlxy.dll. A malicious DLL can be in place on a machine and renamed with LenovoInfo.dll, AlienFX.dll, atiadlxx.dll, or atiadlxy.dll. It is perturbing to find out that the application still loads these malicious files and successfully executes them with SYSTEM privileges.

The p5x modules use a utility library named Common.dll. Analysis of this library reveals two factors that contribute to this vulnerability:

• Improper validationof the DLL to check whether it has a sign or not.
• Usage of the LoadLibraryW function to load modules which allows an unauthorized user to change the search order and look for DLL files only in the specified folder and not in the PATH variable.

Dell has released a fix for this vulnerability and it is CVE-2019-12280. The updates are automatically installing on PCs if automatic updates are accessible. They can also download and install manually.

The PC Doctor component in :

• Dell SupportAssist for Business PCs version 2.0
• Dell SupportAssist for Home PCs version 3.2.1 and before

Other affected products include PC-Doctor Toolbox for Windows, rebranded as CORSAIR ONE Diagnostics, CORSAIR Diagnostics, Staples EasyTech Diagnostics, Tobii I-Series Diagnostic Tool and Tobii Dynavox Diagnostic Tool.

An attacker can exploit the DLL-Injection vulnerability in SupportAssist to conduct Application Whitelisting Bypass, Signature Validation Bypass, read sensitive data, or compromise the system.

Dell has released a patch to fix this vulnerability. Upgrade to :

• Dell SupportAssist for Business PCs version 2.0.1
• Dell SupportAssist for Home PCs version 3.2.2

Therefore, please refer to this KB Article.