Dell support tool put PCs at risk of malware infection

Weak authentication in Dell's System Detect utility could have enabled drive-by malware attacks

Attackers could have remotely installed malware on systems running a flawed Dell support tool used to detect customers' products.

A security researcher discovered the flaw in November and reported it to the PC manufacturer, which patched it in January. However, it's not clear if the fix closed all avenues for abuse.

The application, called Dell System Detect, is offered for download when users click the "Detect Product" button on Dell's support site for the first time. It is meant to help the website automatically detect the user's product -- more specifically its Service Tag -- so that it can offer the corresponding drivers and resources.

Last year, a security researcher named Tom Forbes reverse engineered the program to see how it communicated with the Dell website. He found that the application installs a Web server on the local machine that listens on port 8884. The Dell site then uses JavaScript to send requests to the local server through the user's browser.

More interestingly, Forbes found that the program tested if the sites sending requests had "dell" in their URLs before acting on those requests. While this was likely intended to prevent unauthorized websites from talking to the program, the check was flawed because it not only matched www.dell.com, but also any site with "dell" in its path, for example evil-site.com/dell.

Furthermore, aside from Service Tag detection, Dell System Detect also had other functions that could be triggered remotely, the researcher found. These included getdevices, getsysteminfo, checkadminrights, downloadfiles and downloadandautoinstall.

The last one was particularly dangerous because it suggested that a non-Dell site could force the System Detect application to download and silently install a malicious program.

Forbes found that a form of authentication was required to trigger the downloadandautoinstall function, but that too was weak and relied on a hard-coded identifier. So he built a Python script that could generate valid authentication tokens.

"So in conclusion we can make anyone running this software download and install an arbitrary file by triggering their web browser to make a request to a crafted localhost URL," Forbes said Monday in a blog post that described the vulnerability in detail. "This can be achieved a number of ways, and the service will faithfully download and execute our payload without prompting the user."

Dell pushed an automatic update to all affected System Detect users on Jan. 9 that blocked the original exploit, Forbes said Tuesday via email.

However, the researcher couldn't check how the authentication mechanism was changed in the new version, because Dell obfuscated the program's code making reverse engineering much harder.

It could be that the company just changed the check from "if dell is in the referrer" to "if dell is in the referrer domain name," which would prevent the original attack, but would still be exploitable, the researcher said in his blog post.

"However I must stress that this is not verified as the source code is obscured, and they have improved the security of other parts of the program so it may be that this check is not important any more," he clarified via email Tuesday.

A Dell spokesman said Tuesday the flaw has been fixed.

Even with the flaw now patched, the fact that it existed in the first place may make some users anxious. Suspicions of hardware and software companies helping governments spy on users have intensified over the past two years, partially fueled by revelations of widespread surveillance disclosed by former U.S. National Security Agency contractor Edward Snowden.

"We have not, and do not, work with any government to compromise our products or make them potentially vulnerable to exploit," the Dell spokesman said via email. "This includes alleged creation of 'software implants' or so-called 'backdoors'."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags DellintrusionsecurityAccess control and authenticationExploits / vulnerabilitiesmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?