Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Support Dell System Detect tool put PCs at risk

The exploitation of the Dell System Detect tool would allow threat actors to remotely install malware on users’ your Dell computers. This specific subject was already talked in mid-November 2014 when it was discovered and reported to Dell which patched it in January 2015, but it’s uncertain if the fix closed all the “holes”. The […]

Support Dell System Detect tool put PCs at risk

The exploitation of the Dell System Detect tool would allow threat actors to remotely install malware on users’ your Dell computers.

This specific subject was already talked in mid-November 2014 when it was discovered and reported to Dell which patched it in January 2015, but it’s uncertain if the fix closed all the “holes”.

The faulty application it’s called “Dell System Detect” and is used by Dell computer owners when access Dell’s support website for the first time. The main purpose of the tool is to detect the product in use by the client and providing the drivers for the hardware.

Tom Forbes, a security researcher had already last year communicated to Dell the faulty provided by this software, doing for that a reserve engineering of the software, concluding that the program installs a web server and listens on port 8884. Dell’s website sent JavaScript requests to the local server to communicate with “Dell System Detect”.

Before being patched the software was tested by Tom Forbes, and he did a interesting discovery, “Dell System Detect” tested if the website sending the JavaScript request had “dell” in the URL before doing something with the request, obviously this made on purpose by Dell to prevent other websites to communicate with the program, but this check was faulty because you could match every URL containing the term “dell”. This means that the program would accept www.dell.com, but it would accept also other domain containint the dell word, such as www.myfakedell.com, as consequence it is easy for attackers to create new domain and take advantage of the flaw.

Besides this, the software could be used to force the system to download and silently install malicious programs. Forbes discovered the way to trigger the ” downloadandautoinstall function” and creates a python script that generate valid authentication tokens:

  “So in conclusion we can make anyone running this software download and install an arbitrary file by triggering their web browser to make a request to a crafted localhost URL,” “This can be achieved a number of ways, and the service will faithfully download and execute our payload without prompting the user.”

Tom also explained that Dell patched the software in 9 of January, blocking the original exploit, but Tom couldn’t check how the authentication is made in the new software version because now Dell obfuscated the program’s code (that makes reversing it very, very difficult).

Dell System detect tool

Let’s close the post by using the comment provided by Tom Forbes:

“So in conclusion we can make anyone running this software download and install an arbitrary file by triggering their web browser to make a request to a crafted localhost URL. This can be achieved a number of ways, and the service will faithfully download and execute our payload without prompting the user.”

“I don’t think Dell should be including all this functionality in such a simple tool and should have ensured adequate protection against malicious inputs. After contacting Dell and discussing the issue with their internal security team they pushed out a fix that included obfuscating the downloaded binary. While I cannot be sure I think they simply changed the conditional from “if dell in referrer” to “if dell in referrer domain name”, which may be slightly harder to exploit but just as severe. There is now also a big agreement you have to accept before downloading that specifies what the software can do.”

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Pierluigi Paganini

(Security Affairs –  Dell System Detect,  Dell)