Dell support tool put PCs at risk of malware infection

24.03.2015
Attackers could have remotely installed malware on systems running a flawed Dell support tool used to detect customers' products.

A security researcher discovered the flaw in November and reported it to the PC manufacturer, which patched it in January. However, it's not clear if the fix closed all avenues for abuse.

The application, called Dell System Detect, is offered for download when users click the "Detect Product" button on Dell's support site for the first time. It is meant to help the website automatically detect the user's product -- more specifically its Service Tag -- so that it can offer the corresponding drivers and resources.

Last year, a security researcher named Tom Forbes reverse engineered the program to see how it communicated with the Dell website. He found that the application installs a Web server on the local machine that listens on port 8884. The Dell site then uses JavaScript to send requests to the local server through the user's browser.

More interestingly, Forbes found that the program tested if the sites sending requests had "dell" in their URLs before acting on those requests. While this was likely intended to prevent unauthorized websites from talking to the program, the check was flawed because it not only matched www.dell.com, but also any site with "dell" in its path, for example evil-site.com/dell.

Furthermore, aside from Service Tag detection, Dell System Detect also had other functions that could be triggered remotely, the researcher found. These included getdevices, getsysteminfo, checkadminrights, downloadfiles and downloadandautoinstall.

The last one was particularly dangerous because it suggested that a non-Dell site could force the System Detect application to download and silently install a malicious program.

Forbes found that a form of authentication was required to trigger the downloadandautoinstall function, but that too was weak and relied on a hard-coded identifier. So he built a Python script that could generate valid authentication tokens.

"So in conclusion we can make anyone running this software download and install an arbitrary file by triggering their web browser to make a request to a crafted localhost URL," Forbes said Monday in a blog post that described the vulnerability in detail. "This can be achieved a number of ways, and the service will faithfully download and execute our payload without prompting the user."

Dell pushed an automatic update to all affected System Detect users on Jan. 9 that blocked the original exploit, Forbes said Tuesday via email.

However, the researcher couldn't check how the authentication mechanism was changed in the new version, because Dell obfuscated the program's code making reverse engineering much harder.

It could be that the company just changed the check from "if dell is in the referrer" to "if dell is in the referrer domain name," which would prevent the original attack, but would still be exploitable, the researcher said in his blog post.

"However I must stress that this is not verified as the source code is obscured, and they have improved the security of other parts of the program so it may be that this check is not important any more," he clarified via email Tuesday.

A Dell spokesman said Tuesday the flaw has been fixed.

Even with the flaw now patched, the fact that it existed in the first place may make some users anxious. Suspicions of hardware and software companies helping governments spy on users have intensified over the past two years, partially fueled by revelations of widespread surveillance disclosed by former U.S. National Security Agency contractor Edward Snowden.

"We have not, and do not, work with any government to compromise our products or make them potentially vulnerable to exploit," the Dell spokesman said via email. "This includes alleged creation of 'software implants' or so-called 'backdoors'."

Lucian Constantin

Zur Startseite