{"id":10250,"date":"2019-06-26T00:39:00","date_gmt":"2019-06-25T22:39:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=10250"},"modified":"2023-08-25T22:52:46","modified_gmt":"2023-08-25T20:52:46","slug":"serious-vulnerability-in-dells-pc-doctor-assistant","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/06\/26\/serious-vulnerability-in-dells-pc-doctor-assistant\/","title":{"rendered":"Serious vulnerability in Dell's PC Doctor Assistant"},"content":{"rendered":"

[German<\/a>]PC-Doctor SupportAssist, which is pre-installed on many Dell systems, has a serious security vulnerability that allows permissions to be exploited. The component is also found in products from Corsair, Staples and Tobi. Dell has released an update.<\/p>\n

<\/p>\n

I have already been informed of the topic by blog readers Leon from Greece a few days ago. Leon had sent me the link to this website<\/a>. During last weekend other blog-readers also send me similar hints. Thank you very much for the information. Unfortunately I haven't time to publish an article about this topic.<\/p>\n

\"\"Background: PC-Doctor Toolbox for Windows<\/h2>\n

The PC-Doctor SupportAssist is a rebranded component of the PC-Doctor Toolbox for Windows. This software can be downloaded from this website<\/a>, and contains various feature for monitoring a PC. If you read the feature description, the software is a 'must have'. But I myself would describe it as 'snake oil', which is advertised as a universal solution, but not really needed. <\/p>\n

But various OEMs such as Dell ships this toolbox or components of it on their systems – sometimes under a slightly different name. The components that enable Dell's SupportAssist to access sensitive low-level hardware (such as physical memory, PCI and SMBios) come from the PC-Doctor Toolbox and were written by PC-Doctor. Also products of Corsair, Staples and Tobi contain this PC-Doctor Toolbox for Windows or at least components of it. <\/p>\n

Dell SupportAssist<\/h2>\n

Dell SupportAssist is a software that comes from the PC-Doctor Toolbox mentioned above and is pre-installed on most Dell PCs. The software proactively checks the state of the system's hardware and software. These 'health checks' of certain system components require permissions at a high level – i.e. administrator rights are required. To perform actions that require high permissions, a signed driver is installed in addition to several services running as a SYSTEM. So much for preliminary remarks on the subject. <\/p>\n

SafeBreach finds serious vulnerability<\/h2>\n

Such constructions naturally arouse the interest of various safety researchers, including Peleg Hadar of SafeBreach Labs. In the first approach, he concentrated on the services concerned, as he writes on this website<\/a>. Especially the service \"Dell Hardware Support\" is critical, because it allows access to the PC hardware with high authorization level and has the possibility to initiate a privilege escalation. <\/p>\n

After the Dell hardware support service is launched, it runs the DSAPI.<\/em>exe program, which in turn starts pcdrwi.exe. Both processes then run with the authorization level SYSTEM. Next, the service runs numerous PC Doctor programs that collect information about the computer's operating system and hardware. These executable files are actually normal PE files, but have a different extension – \"p5x\". <\/p>\n

All these executables load DLL libraries that have the ability to collect information from various sources (software and hardware). After the libraries were loaded, the security researchers discovered the following via ProcMon: <\/p>\n

\"Aufgerufene<\/a>
(Click to zoom<\/a>) <\/p>\n

Three of the p5x executables attempt to call the following DLL files in the c:\\python27 branch (located in the PATH environment variable): <\/p>\n