A security flaw discovered in OEM software has left millions of Dell PCs vulnerable. The flaw, found in a utility software called SupportAssist, could lead to privilege escalation in all of these systems. Security researchers from SafeBreach who came across this flaw in the software, identified it to be a DLL hijacking vulnerability. Certain components of SupportAssist that were used to access low-level hardware had faulty functionalities that led to this flaw.
SupportAssist is a software that monitors the health of the system’s hardware and software on Dell computers. Components in this software are written by PC-Doctor, a company which develops diagnostics software.
The big picture
What caused the flaw?
In the analysis, researchers mention that the p5x executables used a library called ‘Common.dll’ and indicate two root causes derived from this DLL file. The first one is due to a different library used for loading DLL files and the second one is the absence of validation of DLL files. As a result, these causes could allow attackers to execute unsigned DLLs.
The researchers also demonstrate a proof-of-concept(PoC) exploit that successfully loads and executes unsigned DLLs. In fact, they point out that the flaw could be used for multiple purposes. “The vulnerability gives attackers the ability to loaded and execute malicious payloads by a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: 1. Application Whitelisting Bypass 2. Signature Validation Bypassing,” they said in the analysis.
Luckily, this DLL flaw has been patched by Dell. It primarily affected Dell SupportAssist for Business PCs version 2.0, and Dell SupportAssist for Home PCs version 3.2.1 and all prior versions.