Security researchers have discovered a critical flaw in Dell SupportAssist software which allows arbitrary code execution.
The flaw tracked as CVE-2019-12280 allows an attacker with normal user permissions to execute arbitrary code with elevated privileges by using specially crafted DLL files.
The flaw was discovered by security researchers at SafeBreach cybersecurity firm.
Dell SupportAssist software which comes pre-installed on most of the Dell PCs which check systems software and hardware health and send the report back to Dell.
According to the researcher, the issue exists in the PC-Doctor component used in the Dell SupportAssist software.
The PC-Doctor component allow support assist to access sensitive low-level hardware (including the physical memory, PCI and SMBios).
When Dell Hardware Support service is initiated, it executes DSAPI.exe which in turn executes pcdrwi.exe. Both run with system privileges.
In the next step, the service executes numerous PC-Doctor executables to collect data about the OS and hardware of the system.
Researchers discovered that these executable are regular PE files but have a different extension – “p5x”.
Three of the p5x executables tries to find the following DLL files on the c:\python27 directory (users path environment) variable:
“The c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes the privilege escalation simple and allows a regular user to write the missing DLL file and achieve code execution as SYSTEM.”
The flaw allows attackers to load and execute malicious payload by a signed service. This can be abused by attackers for other purposes such as application whitelisting bypassing and Signature Validation Bypassing.
Researchers notified the issue to Dell in April and they released an updated version of Dell SupportAssist addressing the vulnerability.
Researchers also noted that the flaw also affects other products which PC-Doctor component such as CORSAIR Diagnostics, Staples EasyTech Diagnostics, Tobii I-Series Diagnostic Tool, Tobii Dynavox Diagnostic Too.
You may be interested in reading: New GandCrab Ransomware Campaign Targets MySQL Servers on Windows