Remote Code Execution on Most Dell Computers

<p><pre><code> OEM: Let&#x27;s differentiate our otherwise commodity hw product! OEM: I know, let&#x27;s add value with bundled software the customer can&#x27;t uninstall! </code></pre> Then the bundled software turns out to (inevitably) be useless vulnerable garbage. Inevitably because a) the customer doesn&#x27;t need it, b) it&#x27;s engineered with all the effort that normally goes into adware for captive audiences (i.e., _minimal_), which means it will be vulnerable.<p>Here&#x27;s an idea:<p><pre><code> OEM: Let&#x27;s differentiate our otherwise commodity hw product! OEM: Let&#x27;s add NO bundled software. </code></pre> That would be fantastic.

There is also the neat tool &quot;Dell Display Manager&quot;. The only way to avoid the moody touch buttons on some Dell monitors to change their brightness:<p>- updates served via HTTP through the browser only<p>- as a binary (exe)<p>- from a domain other than dell.com (delldisplaymanager.com)<p>- signed by a 3rd party (En Tech Taiwan)<p>- and nagging about updates every reboot<p>(you can get an outdated version via dell.com, but it will want to update through said channel immediately)<p>(And I bet this one gets pinged for updates, having the full url to the exe in the update check: <a href="https:&#x2F;&#x2F;www.entechtaiwan.com&#x2F;updates&#x2F;public&#x2F;ddm.inf" rel="nofollow">https:&#x2F;&#x2F;www.entechtaiwan.com&#x2F;updates&#x2F;public&#x2F;ddm.inf</a> )

General sanity aside, the whole exploit hinges on the fact that they used string parsing to check for the prefix &quot;http&quot;. This wouldn&#x27;t have been exploitable if they used a proper URL library.

I found something similar to this a few years back[1], where the daemon would download and run anything if just “dell” was in the referring host. It seems they have improved the security somewhat by using white lists, but their coding practices seem a bit shoddy. Why have an SDK token at all if it’s public and globally shared?<p>I wouldn’t be surprised if a lot of the code was shared between the previous incarnation that I found an issue with and this pre-installed version.<p>1. <a href="https:&#x2F;&#x2F;tomforb.es&#x2F;dell-system-detect-rce-vulnerability&#x2F;" rel="nofollow">https:&#x2F;&#x2F;tomforb.es&#x2F;dell-system-detect-rce-vulnerability&#x2F;</a>

Dell service advisory (DSA): <a href="https:&#x2F;&#x2F;www.dell.com&#x2F;support&#x2F;article&#x2F;us&#x2F;en&#x2F;19&#x2F;sln316857&#x2F;dsa-2019-051-dell-supportassist-client-multiple-vulnerabilities?lang=en" rel="nofollow">https:&#x2F;&#x2F;www.dell.com&#x2F;support&#x2F;article&#x2F;us&#x2F;en&#x2F;19&#x2F;sln316857&#x2F;dsa-...</a> (from this submission)<p>first CVE: <a href="https:&#x2F;&#x2F;nvd.nist.gov&#x2F;vuln&#x2F;detail&#x2F;CVE-2019-3718" rel="nofollow">https:&#x2F;&#x2F;nvd.nist.gov&#x2F;vuln&#x2F;detail&#x2F;CVE-2019-3718</a> (from DSA)<p>second CVE: <a href="https:&#x2F;&#x2F;nvd.nist.gov&#x2F;vuln&#x2F;detail&#x2F;CVE-2019-3719" rel="nofollow">https:&#x2F;&#x2F;nvd.nist.gov&#x2F;vuln&#x2F;detail&#x2F;CVE-2019-3719</a> (also from DSA, this is the exploit described in this submission)

Beautiful writeup. I&#x27;m a developer but never work on web stuff, and even I found the story interesting and readable.

Given this is an RCE, and affects so many machines, does anyone else think it&#x27;s unreasonable that it took Dell 5 months to fix this?<p>Aside from anything else, it would have been <i>terrible</i> publicity for Dell if an exploit for this vulnerability was used in a large malware campaign - I just don&#x27;t get why they would wait so long to fix it.

I&#x27;ve seen something similar when I open Dell&#x27;s site. uMatrix shows an attempt to run a localhost script, which looks shady as hell.<p>I&#x27;ve never let that run. Much easier to just flip the laptop over, enter the six digit service code, and see if there are any new drivers&#x2F;BIOS updates available for my laptop.

I&#x27;ve not yet seen anyone comment on the fact that Dell was informed in late Oct, confirmed by late Nov...and the public was advised in mid April. That&#x27;s a lot of time for a known and confirmed vulnerability to be undisclosed, isn&#x27;t it?

I don&#x27;t think there will ever come a time when 1) savvy users will stop suggesting&#x2F;recommending clean Windows installs on new computers and 2) OEM bloatware will stop being crap.<p>I clean-installed Win10 recently. There was no driver installation I had to do - everything works great, and there are no unidentified devices in Device Manager. Say what you will about Windows 10, but that part is really cool. Save for video cards, the pack-in drivers are often better and less hassle. Plus they auto update.

The author exploited this by adding a space to the URL so it no longer started with <a href="http:&#x2F;&#x2F;" rel="nofollow">http:&#x2F;&#x2F;</a> rather (space)<a href="http:&#x2F;&#x2F;" rel="nofollow">http:&#x2F;&#x2F;</a> but it looks like the call to Replace would be ineffective if the URL started with HTTP:&#x2F;&#x2F; as well.<p><pre><code> bool flag2 = file.Location.ToLower().StartsWith(&quot;http:&#x2F;&#x2F;&quot;); if (flag2) { file.Location = file.Location.Replace(&quot;http:&#x2F;&#x2F;&quot;, &quot;https:&#x2F;&#x2F;&quot;); } </code></pre> I trust the new version isn’t vulnerable to this...

Dell Computers running Windows, it looks like?

Slightly tongue in cheek to counter the anti-(Chinese&#x2F;Russians) tone in recent times:<p>Seeing how close Dell (both the company and the man) are to the US government, surely this is a backdoor by the Americans?

This is exactly why you should remove any bundled software from vendors and try to start afresh when picking up a new machine.

Sounds like the attacker has to be on the local network (or presumably VPN) to use the exploit? If so that&#x27;s a nontrivial hurdle in many cases.

What is the bounty on a report like this, and does Dell operate an official bug bounty program? How much do you think a report like this should be worth?<p>&quot;Dell bug bounty program&quot; and the like don&#x27;t turn up obvious results to me.

Preinstalled crapware is one of the main reasons I still build my own desktops. Back when I used to buy Dells or HPs for the kids I always began the relationship with a reformat and reinstall. That was easy for me at the time because I had a complete MSDN sub with access to all versions of MS operating systems.

Cannot this vulnerability be exploited by creating a free wi-fi access point, opening a captive portal on user&#x27;s device and attacking them from there? Another option is to wait until the victim requests something with HTTP (some ad networks still use it) and inject the payload into the traffic.

Intel has a similar update assistant that runs on thinkpads at least: <a href="https:&#x2F;&#x2F;www.intel.com&#x2F;content&#x2F;www&#x2F;us&#x2F;en&#x2F;support&#x2F;intel-driver-support-assistant.html" rel="nofollow">https:&#x2F;&#x2F;www.intel.com&#x2F;content&#x2F;www&#x2F;us&#x2F;en&#x2F;support&#x2F;intel-driver...</a>

Nice writeup! Only feedback is it seems like you dont need to dna hijack anything. Seems like you can just register localhost-lollolanything.com and pull the attack off, no?

tl;dr:<p>A software opens a port to allow a remote website trigger &quot;download and execute&quot; actions on a URL pointing to an .exe file.<p>The security check they have is that they check the domain is dell.com and that the string starts with &quot;<a href="https:&#x2F;&#x2F;&quot;" rel="nofollow">https:&#x2F;&#x2F;&quot;</a>. If it starts with <a href="http:&#x2F;&#x2F;" rel="nofollow">http:&#x2F;&#x2F;</a> it is replaced by the https version. In theory I could consider this risky but safe.<p>The mistake is that they do not force a URL that starts with something else to fail. The attacker could bypass the check by providing &quot; <a href="http:&#x2F;&#x2F;fakedns.dell.com&#x2F;haxorz.exe&quot;" rel="nofollow">http:&#x2F;&#x2F;fakedns.dell.com&#x2F;haxorz.exe&quot;</a> (with a space at the beginning) and it passed the check.<p>This is not the first flaw of this style I am seeing. I don&#x27;t think a teacher ever explicitly told it to me but I always assumed that relying on DNS for authentication was a dangerous thing to do and that URLs were doing too many things behind the scenes to be trustworthy without being extremely picky.<p>Maybe it all changed with https, but trusting the execution of an exe without at least checking the a crypto signature lights some red flags in my brain.

A lot of government computers around this part of the world are Dell computers. Hopefully enterprise customers get fresh Windows installations.

Use Linux.

This doesn&#x27;t sound quite as scary as the title. You still have to do one of these things that will all be nearly impossible in general. It&#x27;s not like you can just set up a website and wait for victims to visit it.<p>- XSS on one of Dell&#x27;s sites.<p>- Find a Subdomain Takeover vulnerability on a Dell site.<p>- Make the request from a local program.<p>- DNS Hijack the victim.

HP use a similar service (HP support assistant) that permits HP website to discover your machine and driver. It would be nice to discover if it have the same vulnerability...

Hmm. I have a Dell laptop, but replaced Windows 10 with Ubuntu. I doubt I&#x27;m vulnerable to that... but my security stance is probably not as strong as it could be.

Feel pretty validated on my decision that the OEM doesn&#x27;t need a support backdoor on PCs. SupportAssist looked like a remote access tool combined with PC-Doctor.

I bought an Alienware that cost 4300$ last year, and that&#x27;s after 900$ in savings.<p>The computer arrived in a box that had 2 handle sized holes in it and I could see the computer directly exposed from the outside without the box being open. It had shipment dust and debris INSIDE THE BOX. It&#x27;s the saddest, cheapest, most sorry ass excuse for a shipment I&#x27;ve ever seen. I took pictures, I couldn&#x27;t believe it.<p>Then I booted it up and was inundated with Dell pre-installed software. Wiped the thing clean, got a Win10 ISO directly from MS and called it a day. This will be the last Dell I ever buy. Lesson learned.

Speaking of exploits... aren&#x27;t nearly all Intel-processor systems vulnerable to attacks against IME?<p>Has anyone disabled IME by putting it into HAP mode or another mode?

If this was Huawei it&#x27;d be called a backdoor.

Is this related to Dell Computers (so it does include laptops with Linux OS) or Windows OS (which I mean spywares on Windows OS)?

Intel also has a similar tool that you install to check for updates and you visit a web page to get your updates.<p>Does it work in a similar way?

I thought this was old news... I swear I heard and read about this last year, maybe even before mid-year.

I really wish it was possible to purchase hardware from any manufacturer with this stuff removed.

First off, great article.<p>But, like so many other articles about security vulnerabilities, there seems to be a general attitude among most people (including many IT shops) that &quot;it&#x27;s an isolated incident&quot;, and &quot;the experts will fix it...&quot;.<p>&quot;It&#x27;s an isolated incident&quot;, and &quot;The experts will fix it...&quot;.<p>They said the same thing about Spectre, Meltdown, Rowhammer attacks, what have you.<p>&quot;It&#x27;s an isolated incident&quot;, and &quot;The experts will fix it...&quot;.<p>Well, if you read HN long enough, you&#x27;d know that there&#x27;s too much of this on too regular a basis to continue to espouse those views.<p>I&#x27;m going to go for broke here.<p>I&#x27;m going to put on my conspiracy &quot;what if&quot; tin-foil hat, and ask two questions.<p>The first is related to Virus-Checking and Security Software -- like Norton, McAfee, etc. how do we know that any of it doesn&#x27;t contain remote code execution (aka major security) vulnerabilities?<p>You see, if I were the bad guys, <i>that&#x27;s where I&#x27;d put it</i>.<p>Also, let&#x27;s say you have Nation States. Could you see one of these guys &quot;persuading, for the good of their country&quot; one or more of their same-nationality corporations to put such vulnerabilities into their &quot;Security&quot; software?<p>In other words, maybe you have a Chinese producer of anti-virus&#x2F;security software, and maybe it has little &quot;surprises&quot; for non-Chinese Citizens.<p>Maybe you have an American producer of anti-virus&#x2F;security software, and it too has little &quot;surprises&quot; for non-American Citizens.<p>You see? Nation A thinks that it&#x27;s permissible and OK for it to compromise Nation B&#x27;s &quot;Security&quot; software. And Nation B thinks the same thing, but in reverse.<p>Even if Nation States are removed from the equation, you still have the Virus Checker&#x2F;Security software company themselves. How do you know that random employees at that company haven&#x27;t tainted that software in some way?<p>In other words, &quot;Who guards the guardians?&quot;<p>Which is my second question.<p>It&#x27;s an ancient philosophical question.<p>&quot;Who guards the guardians?&quot;<p>We The People - do not seem to be doing such a good job these days...<p>All I know is that you might be seeing a whole lot more &quot;isolated incidents&quot; that &quot;the experts will have to fix&quot; in the future, unless We The People - step up to the plate...

That&#x27;s one of those garbage apps i proactively removed. Thank God.

Do they also install this stuff on their linux offerings? :&#x2F;

Amazing, Dell bullshit antivirus is bullshit

Glad I wiped my XPS and put Ubuntu on it.

I&#x27;m not going to buy Dell again...

`DiableInstallNow` i liked this json key in the api