Pierluigi Paganini March 27, 2015

The exploitation of the Dell System Detect tool would allow threat actors to remotely install malware on users’ your Dell computers.

This specific subject was already talked in mid-November 2014 when it was discovered and reported to Dell which patched it in January 2015, but it’s uncertain if the fix closed all the “holes”.

The faulty application it’s called “Dell System Detect” and is used by Dell computer owners when access Dell’s support website for the first time. The main purpose of the tool is to detect the product in use by the client and providing the drivers for the hardware.

Tom Forbes, a security researcher had already last year communicated to Dell the faulty provided by this software, doing for that a reserve engineering of the software, concluding that the program installs a web server and listens on port 8884. Dell’s website sent JavaScript requests to the local server to communicate with “Dell System Detect”.

Before being patched the software was tested by Tom Forbes, and he did a interesting discovery, “Dell System Detect” tested if the website sending the JavaScript request had “dell” in the URL before doing something with the request, obviously this made on purpose by Dell to prevent other websites to communicate with the program, but this check was faulty because you could match every URL containing the term “dell”. This means that the program would accept www.dell.com, but it would accept also other domain containint the dell word, such as www.myfakedell.com, as consequence it is easy for attackers to create new domain and take advantage of the flaw.

Besides this, the software could be used to force the system to download and silently install malicious programs. Forbes discovered the way to trigger the ” downloadandautoinstall function” and creates a python script that generate valid authentication tokens:

  “So in conclusion we can make anyone running this software download and install an arbitrary file by triggering their web browser to make a request to a crafted localhost URL,” “This can be achieved a number of ways, and the service will faithfully download and execute our payload without prompting the user.”

Tom also explained that Dell patched the software in 9 of January, blocking the original exploit, but Tom couldn’t check how the authentication is made in the new software version because now Dell obfuscated the program’s code (that makes reversing it very, very difficult).

Let’s close the post by using the comment provided by Tom Forbes:

“So in conclusion we can make anyone running this software download and install an arbitrary file by triggering their web browser to make a request to a crafted localhost URL. This can be achieved a number of ways, and the service will faithfully download and execute our payload without prompting the user.”

“I don’t think Dell should be including all this functionality in such a simple tool and should have ensured adequate protection against malicious inputs. After contacting Dell and discussing the issue with their internal security team they pushed out a fix that included obfuscating the downloaded binary. While I cannot be sure I think they simply changed the conditional from “if dell in referrer” to “if dell in referrer domain name”, which may be slightly harder to exploit but just as severe. There is now also a big agreement you have to accept before downloading that specifies what the software can do.”

About the Author Elsio Pinto

Pierluigi Paganini

(Security Affairs –  Dell System Detect,  Dell)