It wasn’t me says Dell…
PC-Doctor, a supplier of computer diagnostic systems installed on over 100 million computers, has played down the dangers of a severe vulnerability in its software that was exposed this week by a cybersecurity startup, SafeBreach Labs.
The comments came after SafeBreach reported the vulnerability to Dell, which subsequently pushed out a patch on May 28, followed by a security advisory yesterday.
The Bay Area-based security firm had identified the flaw by probing Dell’s SupportAssist software, which is underpinned by PC-Doctor.
Dell told Computer Business Review that 90 percent of affected systems had already been updated as of Friday morning. Numerous other OEMs are likely affected.
In comments emailed to Computer Business Review, Reno, Nevada-based PC-Doctor any suggested the exploit would be challenging.
“To exploit this vulnerability, an administrative user or process must change the system’s PATH environment variable to include a folder writeable by non-admin users, and craft a DLL that exploits PC-Doctor’s administrative privileges. It is not possible to exploit this vulnerability without modifying default Windows settings.”
The company added: “The vulnerability was reported against PC-Doctor’s Dell Hardware Support Service, which is included with Dell’s SupportAssist, but also affects PC-Doctor Toolbox for Windows. Both products are persisted to systems to monitor for hardware issues and can be run on-demand. Urgent fixes were initially made available between 5/28/2019 and 6/17/2019.”
Dell Forced to Push Out Patches
Researchers at SafeBreach Labs probing Dell’s hardware support service discovered that it executes numerous PC-Doctor executables that collect data about the PC’s operating system and hardware. The executables load DLL libraries that have permission to collect data from an array of system sources.
The issue arises when the systems loads .dll files in an insecure manner, allowing someone to create and load .dll files of their own creation from an unsigned code library contained within their own folders.
Dell were quick to inform us that: “The vulnerability discovered by SafeBreach is a PC-Doctor vulnerability, a third-party component that ships with Dell SupportAssist for Business PCs and Dell SupportAssist for Home PCs.”
PC-Doctor Vulnerability Allows Privilege Escalation
Researchers at SafeBreach Labs note that when the system is searching and loading code for the DLL library it is using LoadLibraryW instead of LoadLibraryExW, this allows a user to define the search order with particular flags so that the system will load the DLL file located in the users own folders.
Peleg Hadar, Security Researcher at SafeBreach Labs commented in his report that: “In my VM, the c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes the privilege escalation simple and allows a regular user to write the missing DLL file and achieve code execution as SYSTEM. It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts, and (2) modify the system’s PATH variable to include that directory.”
This allows an unauthorised user to escalate their privileges in the system.
In a security advisoryu warning issued yesterday evening Dell state that the vulnerability affects: “Dell SupportAssist for Business PCs version 2.0 and Dell SupportAssist for Home PCs version 3.2.1 and all prior versions.”