Dell Computer SupportAssist serious defects may lead to client-RCE-vulnerability warning-the black bar safety net

2019-05-12T00:00:00
ID MYHACK58:62201994091
Type myhack58
Reporter 佚名
Modified 2019-05-12T00:00:00

Description

!

Foreword You use a computer? Who made? Have you ever wanted your computer comes with what stuff? When it comes to the various remote code execution vulnerability, we might think ofoperating systemin such vulnerability, another attack vector is the”on my computer what are some third-party software to?”. In this article, I will introduce me in the SupportAssist(Dell driver assistant)on the discovery of a remote code execution vulnerability, the software”will take the initiative to check the system hardware and software Health”, and”has been pre-installed on most running a Windows operating system new Dell device”.

Found vulnerability In the last 9 months, I use a seven year old MacbookPro no longer able to work, I'm in the market to buy a new laptop. My goal is a Affordable, superior performance of the notebook, so I chose the Dell for the G3 and 15. At the same time, I will be a 1TB mechanical hard disk upgrade to SSD. The upgrade is complete, reinstall windows, you need to re-install the driver. Then things start to get interesting. Visit the Dell Service site, I found an interesting option. ! “Detect PC detect PC”is it? It is how to achieve it? Holding this question, I clicked on it and see what happens. ! This is an automatically install the driver program. Although this point is very convenient, but it looks like some risk. Because my computer just to reinstall, so there is no agent installed, I decided to continue to install the driver and see what happens. Dell claims that you can through the website to update the user's drive, which is very suspicious. Click the Install button, you can easily install it. In the system background, Driving Assistant created SupportAssist agent and Dell hardware assistant service. These services are provided by some. NET write binary file configuration, so I can easily reverse analysis. After the installation is complete, I go back to the Dell site and see if it can detect anything. ! I opened the Chrome Developer Tools, select the network bar, then click on the page on the”Detect Drivers” in. ! The website will send the request to my laptop on the local 8884 port. Using Process Hacker I found SupportAssist agent in this port on aweb server. This port is exposed to various Dell service free API interface, for use with the Dell website issue various requests to communicate. Observe theweb serverthe response, you can find it strictly follow the Access-Control-Allow-Origin: https://www.dell.com策略 to prevent receiving other sites sent the request. In the web browser side, the client needs to provide a signature, the signature is used to verify the various commands. To the https://www. dell. com/support/home/cn/EN/cndhs1/drivers/driversbyscan/getdsdtoken issued request can generate a signature, even if the signature expired, again generated can also be used. Click the start download drivers, the next request is very interesting: POST http://127.0.0.1:8884/downloadservice/downloadmanualinstall?expires=expiretime&signature=signature Accept: application/json, text/javascript, /; q=0.01 Content-Type: application/json Origin: https://www.dell.com Referer: https://www.dell.com/support/home/us/en/19/product-support/servicetag/xxxxx/drivers?showresult=true&files=1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Content: [ { "title":"Dell G3 3579 and 3779 the System BIOS", "category":"BIOS", "name":"G3_3579_1.9.0.exe", "location":"https://downloads.dell.com/FOLDER05519523M/1/G3_3579_1.9.0.exe?uid=29b17007-bead-4ab2-859e-29b6f1327ea1&fn=G3_3579_1.9.0.exe", "isSecure":false, "fileUniqueId":"acd94f47-7614-44de-baca-9ab6af08cf66", "run":false, "restricted":false, "fileId":"198393521", "fileSize":"13 MB", "checkedStatus":false, "fileStatus":-99, "driverId":"4WW45", "path":"", "dupInstallReturnCode":"", "cssClass":"inactive-step", "isReboot":true, "DiableInstallNow":true, "$$hashKey":"object:175"

[1] [2] [3] [4] [5] next