Dell support tool put PCs at risk of malware infection

Weak authentication in Dell's System Detect utility could have enabled drive-by malware attacks

Attackers could have remotely installed malware on systems running a flawed Dell support tool used to detect customers' products.

A security researcher discovered the flaw in November and reported it to the PC manufacturer, which patched it in January. However, it's not clear if the fix closed all avenues for abuse.

The application, called Dell System Detect, is offered for download when users click the "Detect Product" button on Dell's support site for the first time. It is meant to help the website automatically detect the user's product -- more specifically its Service Tag -- so that it can offer the corresponding drivers and resources.

Last year, a security researcher named Tom Forbes reverse engineered the program to see how it communicated with the Dell website. He found that the application installs a Web server on the local machine that listens on port 8884. The Dell site then uses JavaScript to send requests to the local server through the user's browser.

More interestingly, Forbes found that the program tested if the sites sending requests had "dell" in their URLs before acting on those requests. While this was likely intended to prevent unauthorized websites from talking to the program, the check was flawed because it not only matched, but also any site with "dell" in its path, for example

Furthermore, aside from Service Tag detection, Dell System Detect also had other functions that could be triggered remotely, the researcher found. These included getdevices, getsysteminfo, checkadminrights, downloadfiles and downloadandautoinstall.

The last one was particularly dangerous because it suggested that a non-Dell site could force the System Detect application to download and silently install a malicious program.

Forbes found that a form of authentication was required to trigger the downloadandautoinstall function, but that too was weak and relied on a hard-coded identifier. So he built a Python script that could generate valid authentication tokens.

"So in conclusion we can make anyone running this software download and install an arbitrary file by triggering their web browser to make a request to a crafted localhost URL," Forbes said Monday in a blog post that described the vulnerability in detail. "This can be achieved a number of ways, and the service will faithfully download and execute our payload without prompting the user."

Dell pushed an automatic update to all affected System Detect users on Jan. 9 that blocked the original exploit, Forbes said Tuesday via email.

However, the researcher couldn't check how the authentication mechanism was changed in the new version, because Dell obfuscated the program's code making reverse engineering much harder.

It could be that the company just changed the check from "if dell is in the referrer" to "if dell is in the referrer domain name," which would prevent the original attack, but would still be exploitable, the researcher said in his blog post.

"However I must stress that this is not verified as the source code is obscured, and they have improved the security of other parts of the program so it may be that this check is not important any more," he clarified via email Tuesday.

A Dell spokesman said Tuesday the flaw has been fixed.

Even with the flaw now patched, the fact that it existed in the first place may make some users anxious. Suspicions of hardware and software companies helping governments spy on users have intensified over the past two years, partially fueled by revelations of widespread surveillance disclosed by former U.S. National Security Agency contractor Edward Snowden.

"We have not, and do not, work with any government to compromise our products or make them potentially vulnerable to exploit," the Dell spokesman said via email. "This includes alleged creation of 'software implants' or so-called 'backdoors'."

Join the CSO newsletter!

Error: Please check your email address.

Tags DellintrusionsecurityAccess control and authenticationExploits / vulnerabilitiesmalware

More about DellNational Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place