[German]PC-Doctor SupportAssist, which is pre-installed on many Dell systems, has a serious security vulnerability that allows permissions to be exploited. The component is also found in products from Corsair, Staples and Tobi. Dell has released an update.
Advertising
I have already been informed of the topic by blog readers Leon from Greece a few days ago. Leon had sent me the link to this website. During last weekend other blog-readers also send me similar hints. Thank you very much for the information. Unfortunately I haven't time to publish an article about this topic.
Background: PC-Doctor Toolbox for Windows
The PC-Doctor SupportAssist is a rebranded component of the PC-Doctor Toolbox for Windows. This software can be downloaded from this website, and contains various feature for monitoring a PC. If you read the feature description, the software is a 'must have'. But I myself would describe it as 'snake oil', which is advertised as a universal solution, but not really needed.
But various OEMs such as Dell ships this toolbox or components of it on their systems – sometimes under a slightly different name. The components that enable Dell's SupportAssist to access sensitive low-level hardware (such as physical memory, PCI and SMBios) come from the PC-Doctor Toolbox and were written by PC-Doctor. Also products of Corsair, Staples and Tobi contain this PC-Doctor Toolbox for Windows or at least components of it.
Dell SupportAssist
Dell SupportAssist is a software that comes from the PC-Doctor Toolbox mentioned above and is pre-installed on most Dell PCs. The software proactively checks the state of the system's hardware and software. These 'health checks' of certain system components require permissions at a high level – i.e. administrator rights are required. To perform actions that require high permissions, a signed driver is installed in addition to several services running as a SYSTEM. So much for preliminary remarks on the subject.
SafeBreach finds serious vulnerability
Such constructions naturally arouse the interest of various safety researchers, including Peleg Hadar of SafeBreach Labs. In the first approach, he concentrated on the services concerned, as he writes on this website. Especially the service "Dell Hardware Support" is critical, because it allows access to the PC hardware with high authorization level and has the possibility to initiate a privilege escalation.
Advertising
After the Dell hardware support service is launched, it runs the DSAPI.exe program, which in turn starts pcdrwi.exe. Both processes then run with the authorization level SYSTEM. Next, the service runs numerous PC Doctor programs that collect information about the computer's operating system and hardware. These executable files are actually normal PE files, but have a different extension – "p5x".
All these executables load DLL libraries that have the ability to collect information from various sources (software and hardware). After the libraries were loaded, the security researchers discovered the following via ProcMon:
Three of the p5x executables attempt to call the following DLL files in the c:\python27 branch (located in the PATH environment variable):
- LenovoInfo.dll
- AlienFX.dll
- atiadlxx.dll
- atiadlxy.dll
At this point you don't really need to read any more – because this construction, which almost is a notorious case for DLL hijacking, I have discussed in various blog posts in a different context. Stefan Kanthak has found this construct, which is a potential vulnerability, in many software packages and provided me with a test bed to detect such vulnerabilities (calling dependent DLLs). Peleg Hadar, of SafeBreach Labs, writes that he examined the whole thing in a VM. This revealed serious beginner mistakes made by the developers of the PC Doctor tools.
The c:\python27 directory in the test environment had an ACL that allows any authenticated user to write files to this folder. This makes a privilege extension a breeze. This allows a normal user (and thus running malware) to store a DLL file in this folder. He only has to overwrite one of the DLL files mentioned above with his own DLL of the same name. As soon as the tools of the PC-Doctor are called, they execute the manipulated DLL with the permissions of SYSTEM. The DLL then has control over the system and can perform arbitrary actions.
The SafeBreach Labs article ontains further analyses that explain the internal structure of the PC Doctor tools. Basically, however, all of this can be reduced to: The whole software is big crap and should be uninstalled from the system pronto. At the end of th eSafeBreach Labs article other affected software products like CORSAIR Diagnostics, Tobii I-Series Diagnostic Tool etc. are also mentioned.
Blog reader Al-CiD sent me the link to a Dell security alert on Sunday. DSA-2019-084: Dell SupportAssist for Business PCs and Dell SupportAssist for Home PCs Security Update for PC Doctor Vulnerability describes the CVE-2019-12280 vulnerability. This vulnerability has been classified as High in terms of threat level and affects the following Dell software.
- Dell SupportAssist for Business PCs version 2.0
- Dell SupportAssist for Home PCs version 3.2.1 und vorherige Versionen
Dell states that subsequent versions of Dell SupportAssist for Business Systems and Dell SupportAssist for Home PCs provide a solution to the problem:
- Dell SupportAssist für Business-PCs Version 2.0.1
- Dell SupportAssist für Heim-PCs Version 3.2.2.2
Dell recommends all customers to perform updates (auto update or manual update) as quickly as possible. The Hacker News have also published articles on the topic. My recommendation is to uninstall this software and left this snake oil from the system as soon as possible (if possible). Background of this statement: Once I have never needed anything like this on my systems before. Secondly, I assume that the ACL settings have simply been adjusted in such a way that access to the folder is no longer possible for every user. Which vulnerabilities (also with regard to DLL hijacking) still left is unclear. Only recently Dell had to update the SupportAssist because of a remotely exploitable vulnerability.
Advertising