Millions of computers vulnerable as flaw in Dell software makes way for exploits

• The flaw was discovered in Dell’s SupportAssist software that is pre-installed on most of its computers.
• Designated as CVE-2019-12280, the flaw is a DLL hijacking vulnerability and was due to the way certain components worked in the software.

A security flaw discovered in OEM software has left millions of Dell PCs vulnerable. The flaw, found in a utility software called SupportAssist, could lead to privilege escalation in all of these systems. Security researchers from SafeBreach who came across this flaw in the software, identified it to be a DLL hijacking vulnerability. Certain components of SupportAssist that were used to access low-level hardware had faulty functionalities that led to this flaw.

SupportAssist is a software that monitors the health of the system’s hardware and software on Dell computers. Components in this software are written by PC-Doctor, a company which develops diagnostics software.

The big picture

• SafeBreach researchers analyzed a service known as ‘Dell Hardware Support’. Upon initiation, this service executed a Windows process called ‘DSAPI.exe’ which in turn executes ‘pcdrwi.exe’.
• After this, the service executes various executables that collect OS and hardware information. As mentioned earlier, these are developed by PC-Doctor and have the extension ‘p5x’. These executables load DLL libraries that collect information.
• Interestingly, three of the p5x executables look for DLL files such as LenovoInfo.dll, AlienFX.dll, atiadlxx.dll, and atiadlxy.dll. This process could allow unauthenticated attackers to write files and achieve privilege escalation.

What caused the flaw?

In the analysis, researchers mention that the p5x executables used a library called ‘Common.dll’ and indicate two root causes derived from this DLL file. The first one is due to a different library used for loading DLL files and the second one is the absence of validation of DLL files. As a result, these causes could allow attackers to execute unsigned DLLs.

The researchers also demonstrate a proof-of-concept(PoC) exploit that successfully loads and executes unsigned DLLs. In fact, they point out that the flaw could be used for multiple purposes. “The vulnerability gives attackers the ability to loaded and execute malicious payloads by a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: 1. Application Whitelisting Bypass 2. Signature Validation Bypassing,” they said in the analysis.

Luckily, this DLL flaw has been patched by Dell. It primarily affected Dell SupportAssist for Business PCs version 2.0, and Dell SupportAssist for Home PCs version 3.2.1 and all prior versions.