Dell pre-installed SupportAssist components DLL hijacking vulnerability, worldwide more than 1 billion devices face a cyber-attack risk-vulnerability warning-the black bar safety net

SupportAssist is a powerful support application helps to ensure that the user of the system is always running optimally, take the initiative to find the problem and allows you to run the diagnostic program and the driver update scan.
Recently, however, researchers have found that this tool software there is a DLL hijacking vulnerability. Thankfully, currently, a Dell official has released a updated version, in which we recommended that all affected customers to immediately download and install the update.
The problem is that the vulnerability only affects the use of the SupportAssist software tools Dell computer, it will also spill over to third parties. Dell and other original equipment manufacturers in the production of millions of PCS vulnerable to pre-installed SupportAssist software component vulnerability, the vulnerability could allow a remote attacker to completely take over an affected device.
High severity vulnerability, CVE-2019-12280 derived from SupportAssist in a component, which is a pre-install on your PC active monitoring software, can automatically detect the failure and for Dell device to send a notification. The Assembly by a company called PC-Doctor company manufacturing, the company for a variety of PC and laptop OEMS developed hardware diagnostic software.
SafeBreach Lab security researcher Peleg Hadar says:
Most run Windows the Dell device comes loaded with the SupportAssist, which means that as long as the software is not patched, this vulnerability may affect many Dell users.
PC-Doctor has released patches for the repair of the affected equipment. Affected customers can click here to find the latest version of SupportAssist for a single PC user or click here for the IT administrator.
Currently Dell said they already require the user to turn on automatic updates or manually update their SupportAssist software. A Dell spokesman said, due to the majority of customers have automatic updating enabled, currently about 90% of our customers have received the patch.
SafeBreach discovered vulnerabilities is PC Doctor exploits, is the Dell SupportAssist for Business PCS and Dell SupportAssist for Home PC comes with third-party components. The vulnerability occurs after the PC Doctor promptly to Dell Publishing Fix, Dell in 2019 5 May 28, for the affected SupportAssist version implemented and updated.
Vulnerability deconstruction
The vulnerability stems from SupportAssist in a component, the component checks the system hardware and software Health and require high permissions. Vulnerability of PC-Doctor Assembly is SupportAssist installation of signed drivers, which allow SupportAssist to access the hardware such as physical memory or the PCI one.
The Assembly has a DLL loading vulnerability to failure, could allow a malicious attacker will be any unsigned DLLS loaded into the service. The DLL is used to save the Windows program of the multiple processes the file formats.
The DLL is loaded into the program when, due to no for binary files to digital certificate validation. The program does not verify that it will load the DLL is signed, and therefore, it will not hesitate to load any unsigned DLL.
Because the PC-Doctor components have been signed Microsoft kernel-mode and SYSTEM access credentials, if a bad actor is able to load the DLL, they will achieve an elevated and persistent: include for including a physical memory including a lower Assembly of the read/write access, system management BIOS, etc.
Hadar said:
A remote attacker can exploit this vulnerability, an attacker needs to do is trick using social engineering or other policies the victims of a malicious file download to a folder. The required permissions depend on the user’s’PATH env’variables, if the attacker has a normal user can write into the folder, you do not need advanced permissions. An attacker use the vulnerability to obtain after the signature of the service as a SYSTEM implementation, basically he can do whatever he wants to do things, including using PC-Doctor signed kernel drivers to read and write physical memory.
Worse, the SupportAssist components in the also affect the A series is using its re-named version of OEM: this means that other unnamed OEM equipment are also vulnerable to attack.
PC-Doctor does not reveal other affected OEMS, but represent published a patch to solve the“all affected products”.
PC-Doctor spokesperson told the researchers, PC-Doctor began to realize that the PC-Doctor Dell hardware support services and the PC-Doctor Toolbox for Windows there is an uncontrolled search path element vulnerability. This vulnerability allows a local user is located by the insecurity in the catalog of the Trojan DLL to obtain permission and conduct DLL hijacking attacks, the directory has been run by a user with administrative privileges or the process is added to the PATH environment variable.
That is, with regular user privileges the attacker can be in a specific position of the implant a specially crafted DLL file to use elevated privileges to execute arbitrary code to exploit the vulnerability.
A problem is detected, SupportAssist is used to check the system hardware and software health, it would have to Dell to send the necessary system status information, in order to start Troubleshooting. Obviously, these checks require elevated privileges, because many services use the SYSTEM permissions to run.
According to experts, SupportAssist using PC-Doctor Company-developer of the component to access the sensitive low-level hardware, including physical memory, PCI and SMBios it.
Experts found that in the Dell hardware support service starts after the 它会执行DSAPI.exe that 而DSAPI.exe又执行pcdrwi.exe the. Two executable files with SYSTEM privileges to run, and then, the service executing a plurality of PC-Doctor executable file to collect system information. The executable file is using the extension“p5x”conventional PE file.
Wherein the three p5x executables try in the user PATH environment variable to find the following DLL files: LenovoInfo.dll That AlienFX.dll that atiadlxx.dll that atiadlxy.dll the.
The experts found that in their test environment, the path c:\python27 has an ACL that allows any authenticated user to write the file ACL. This means that you can escalate privileges and allow a regular user to write the missing DLL file and implementation code the implementation of the SYSTEM, the vulnerabilities allow an attacker to by the signature service to load and execute the malicious payload. This ability may be an attacker for different purposes, for example, execution and escape:
· Application whitelist bypass; and
· Signature verification bypass; and
Vulnerability is the root cause, the lack of security of the DLLS are loaded and missing for a binary file of digital certificate validation.
Vulnerability discovery timeline
· 04/29/19: a report of the vulnerabilities;
· 04/29/19: Dell initial reply;
· 05/08/19: Dell confirmed the vulnerability; and
· 05/21/19: Dell the this issue is sent to the PC-Doctor; and
· 05/21/19: the PC-Doctor Program in 6 mid-May publish repair procedures;
· 05/22/19: PC-Doctor the official release of vulnerability Bulletin CVE-2019-12280; and
· 05/28/19: Dell Publishing by PC-Doctor the affected SupportAssist of the repair patch;
· 06/12/19: disclosure date was extended to 6 months 19 days;
· 06/19/2019: vulnerability disclosure;
Follow-up impact
Considering the PC-Doctor in global installed capacity over 1 million units, the vulnerability of the sphere of influence may be more far-reaching. SafeBreach of security researchers found vulnerability of components also used in the CORSAIR Diagnostics, Staples EasyTech Diagnostics, the Tobii I-Series and Tobii Dynavox and other diagnostic tools.