Menu
Dell support tool put PCs at risk of malware infection

Dell support tool put PCs at risk of malware infection

Weak authentication in Dell's System Detect utility could have enabled drive-by malware attacks

Attackers could have remotely installed malware on systems running a flawed Dell support tool used to detect customers' products.

A security researcher discovered the flaw in November and reported it to the PC manufacturer, which patched it in January. However, it's not clear if the fix closed all avenues for abuse.

The application, called Dell System Detect, is offered for download when users click the "Detect Product" button on Dell's support site for the first time. It is meant to help the website automatically detect the user's product -- more specifically its Service Tag -- so that it can offer the corresponding drivers and resources.

Last year, a security researcher named Tom Forbes reverse engineered the program to see how it communicated with the Dell website. He found that the application installs a Web server on the local machine that listens on port 8884. The Dell site then uses JavaScript to send requests to the local server through the user's browser.

More interestingly, Forbes found that the program tested if the sites sending requests had "dell" in their URLs before acting on those requests. While this was likely intended to prevent unauthorized websites from talking to the program, the check was flawed because it not only matched www.dell.com, but also any site with "dell" in its path, for example evil-site.com/dell.

Furthermore, aside from Service Tag detection, Dell System Detect also had other functions that could be triggered remotely, the researcher found. These included getdevices, getsysteminfo, checkadminrights, downloadfiles and downloadandautoinstall.

The last one was particularly dangerous because it suggested that a non-Dell site could force the System Detect application to download and silently install a malicious program.

Forbes found that a form of authentication was required to trigger the downloadandautoinstall function, but that too was weak and relied on a hard-coded identifier. So he built a Python script that could generate valid authentication tokens.

"So in conclusion we can make anyone running this software download and install an arbitrary file by triggering their web browser to make a request to a crafted localhost URL," Forbes said Monday in a blog post that described the vulnerability in detail. "This can be achieved a number of ways, and the service will faithfully download and execute our payload without prompting the user."

Dell pushed an automatic update to all affected System Detect users on Jan. 9 that blocked the original exploit, Forbes said Tuesday via email.

However, the researcher couldn't check how the authentication mechanism was changed in the new version, because Dell obfuscated the program's code making reverse engineering much harder.

It could be that the company just changed the check from "if dell is in the referrer" to "if dell is in the referrer domain name," which would prevent the original attack, but would still be exploitable, the researcher said in his blog post.

"However I must stress that this is not verified as the source code is obscured, and they have improved the security of other parts of the program so it may be that this check is not important any more," he clarified via email Tuesday.

A Dell spokesman said Tuesday the flaw has been fixed.

Even with the flaw now patched, the fact that it existed in the first place may make some users anxious. Suspicions of hardware and software companies helping governments spy on users have intensified over the past two years, partially fueled by revelations of widespread surveillance disclosed by former U.S. National Security Agency contractor Edward Snowden.

"We have not, and do not, work with any government to compromise our products or make them potentially vulnerable to exploit," the Dell spokesman said via email. "This includes alleged creation of 'software implants' or so-called 'backdoors'."


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags DellintrusionsecurityAccess control and authenticationExploits / vulnerabilitiesmalware

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments