Menu
Dell support tool put PCs at risk of malware infection

Dell support tool put PCs at risk of malware infection

Weak authentication in Dell's System Detect utility could have enabled drive-by malware attacks

Attackers could have remotely installed malware on systems running a flawed Dell support tool used to detect customers' products.

A security researcher discovered the flaw in November and reported it to the PC manufacturer, which patched it in January. However, it's not clear if the fix closed all avenues for abuse.

The application, called Dell System Detect, is offered for download when users click the "Detect Product" button on Dell's support site for the first time. It is meant to help the website automatically detect the user's product -- more specifically its Service Tag -- so that it can offer the corresponding drivers and resources.

Last year, a security researcher named Tom Forbes reverse engineered the program to see how it communicated with the Dell website. He found that the application installs a Web server on the local machine that listens on port 8884. The Dell site then uses JavaScript to send requests to the local server through the user's browser.

More interestingly, Forbes found that the program tested if the sites sending requests had "dell" in their URLs before acting on those requests. While this was likely intended to prevent unauthorized websites from talking to the program, the check was flawed because it not only matched www.dell.com, but also any site with "dell" in its path, for example evil-site.com/dell.

Furthermore, aside from Service Tag detection, Dell System Detect also had other functions that could be triggered remotely, the researcher found. These included getdevices, getsysteminfo, checkadminrights, downloadfiles and downloadandautoinstall.

The last one was particularly dangerous because it suggested that a non-Dell site could force the System Detect application to download and silently install a malicious program.

Forbes found that a form of authentication was required to trigger the downloadandautoinstall function, but that too was weak and relied on a hard-coded identifier. So he built a Python script that could generate valid authentication tokens.

"So in conclusion we can make anyone running this software download and install an arbitrary file by triggering their web browser to make a request to a crafted localhost URL," Forbes said Monday in a blog post that described the vulnerability in detail. "This can be achieved a number of ways, and the service will faithfully download and execute our payload without prompting the user."

Dell pushed an automatic update to all affected System Detect users on Jan. 9 that blocked the original exploit, Forbes said Tuesday via email.

However, the researcher couldn't check how the authentication mechanism was changed in the new version, because Dell obfuscated the program's code making reverse engineering much harder.

It could be that the company just changed the check from "if dell is in the referrer" to "if dell is in the referrer domain name," which would prevent the original attack, but would still be exploitable, the researcher said in his blog post.

"However I must stress that this is not verified as the source code is obscured, and they have improved the security of other parts of the program so it may be that this check is not important any more," he clarified via email Tuesday.

A Dell spokesman said Tuesday the flaw has been fixed.

Even with the flaw now patched, the fact that it existed in the first place may make some users anxious. Suspicions of hardware and software companies helping governments spy on users have intensified over the past two years, partially fueled by revelations of widespread surveillance disclosed by former U.S. National Security Agency contractor Edward Snowden.

"We have not, and do not, work with any government to compromise our products or make them potentially vulnerable to exploit," the Dell spokesman said via email. "This includes alleged creation of 'software implants' or so-called 'backdoors'."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags DellintrusionsecurityAccess control and authenticationExploits / vulnerabilitiesmalware

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments