Published in News

Dell PCs ship with DLL hijacking bug

by on24 June 2019


You will have a fishy on a little dishy, when the bloat comes in

Millions of PCs made by Dell and other OEMs are vulnerable to a flaw stemming from a component in pre-installed SupportAssist software which enables a remote attacker to completely take over affected devices.

The high-severity vulnerability (CVE-2019-12280) stems from a component in SupportAssist, a proactive monitoring software pre-installed on PCs with automatic failure detection and notifications for Dell devices. That component is made by a company called PC-Doctor, which develops hardware-diagnostic software for various PC and laptop original equipment manufacturers (OEMs).

Peleg Hadar, security researcher with SafeBreach Labs, who discovered the breach, said that SupportAssist is preinstalled on most of Dell devices running Windows, which means that as long as the software is not patched, this vulnerability probably affects many Dell users.

A patch has been released by PC-Doctor.

Dell sought to downplay the flaw, telling users to switch on automatic updates or manually update their SupportAssist software. Because most customers have automatic updates enabled, around 90 percent of customers to date have received the patch, said a Dell spokesperson.

SupportAssist, checks the health of system hardware and software and requires high permissions. The vulnerable PC-Doctor component is a signed driver installed in SupportAssist. This allows SupportAssist to access the hardware (such as physical memory or PCI).

The component has a dynamic link library (DLL) loading vulnerability glitch that could allow a malicious actor to load an arbitrary unsigned DLL into the service. A DLL is a file format used for holding multiple processes for Windows programs.

When loading a DLL into the program: “No digital certificate validation is made against the binary. The program doesn’t validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL without any hesitation.”

Because the PC-Doctor component has signed certificates from Microsoft for kernel-mode and SYSTEM access, if a bad actor is able to load the DLL they would achieve privilege escalation and persistence – including read/write access to low-level components including physical memory, System Management BIOS, and more.

Last modified on 24 June 2019
Rate this item
(0 votes)

Read more about: