A vulnerability in PC-Doctor’s Dell Hardware Support Service software SupportAssist could open doors for attackers who can use it to achieve privilege escalation on Dell machines running Windows 10.
SafeBreach Labs have identified a vulnerability to the SupportAssist softare, which is preinstalled on most Dell PCs. The sofwtare uses components written by the PC-Doctor company in order to access sensitive low-level hardware (such as physical memory, PCI and SMBios). Provided that PC Dostor develops hardware-diagnostic software, this vulnerability affects additional OEMs which use a rebranded version of the PC-Doctor Toolbox for Windows software components.
SupportAssist proactively checks the health of the system's hardware and software. These health checks may require permissions at a high-permission level. In order to run with actions requiring high permissions, a signed driver is installed in addition to multiple services running as SYSTEM.
The security researchers targeted the "Dell Hardware Support" service based on the assumption such a critical service would have high permission level access to the PC hardware as well as the capability to induce privilege escalation.
After the Dell Hardware Support service starts, it executes numerous PC-Doctor executables which collect information about the OS and the hardware of the computer. All of these executables load DLL libraries which have the ability to collect information from different sources (software and hardware).
The researchers compiled a DLL (unsigned), which was executed as SYSTEM when they renamed it following:
The researchers found that no digital certificate validation was made against the binary. The program doesn't validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL.
They also managed to print the content of an arbitrary physical memory address easily, using the vulnerability.
To prevent unsigned kernel-mode drivers from installing on the machine, Windows uses a mechanism called Driver Signature Enforcement. It crashes the system when it detects an unsigned driver being loaded.
But because of the vulnerability, the DSE has become useless. The program comes fitted with a driver that is already digitally signed and also authorized by Microsoft. So, the attacker might not need to load an unsigned driver to achieve read/write permissions.
According to Dell's website, SupportAssist is preinstalled on most of Dell devices running Windows. This means that as long as the software is not patched, the vulnerability affects millions of Dell PC users.
"The vulnerability gives attackers the ability to loaded and execute malicious payloads by a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion," the researchers said.
Moreover, according to the security firm, the vulnerability (CVE-2019-12280) isn’t just limited to Dell. Like Dell, many other OEMs use a re-branded version of the diagnostic tool created by the PC Doctor:
- CORSAIR ONE Diagnostics
- CORSAIR Diagnostics
- Staples EasyTech Diagnostics
- Tobii I-Series Diagnostic Tool
- Tobii Dynavox Diagnostic Tool
Dell has confirmed the existence of the bug after it was first reported back in April 2019. Further, the researchers have notified PC Doctor as well, and a security patch is expected to be released sometime in mid-June.
Dell has released security patches for the specific vulnerability.