The Dell SupportAssist is a help program for Dell devices that are pre-installed by default on most Dell computers. This support assistant can be used to help users automatically update firmware and drivers, and can also be used to contact a Dell customer support representative if necessary.
Recently, however, researchers have revealed that Dell SupportAssist has serious security vulnerabilities (CVE-2019-3719). If the attacker successfully exploits the vulnerability, it can directly launch a remote attack. At the same time, the Dell SupportAssist itself has administrator privileges, so if exploited by an attacker, the attacker can take over the system and do anything.
The vulnerability was discovered by Bill Demirkapi, a 17-year-old security researcher in the United States, and in some cases, an attacker could easily take over the system using this vulnerability. Wanting to launch an attack relies mainly on inducing users to visit a specially crafted phishing website, and loading a malicious script on the phishing website can invoke the Dell SupportAssist. The malicious script calls Dell SupportAssist can be used to download executable files and execute code, that is, you can directly install the malware in silent mode.
The researchers revealed that
- Grab the interface IP address for the specified interface.
- To ARP Spoof the victim, we first enable ip forwarding then send an ARP packet to the victim telling it that we’re the router and an ARP packet to the router telling it that we’re the victim machine. We repeat these packets every few seconds for the duration of our exploit. On exit, we will send the original mac addresses to the victim and router.
- Finally, we DNS Spoof by using iptables to redirect DNS packets to a netfilter queue. We listen to this netfilter queue and check if the requested DNS name is our target URL. If so, we send a fake DNS packet back indicating that our machine is the true IP address behind that URL.
After the researchers notified the vulnerability to Dell a few months ago, Dell has begun to fix and launch a new version to completely block this malicious vulnerability. If you are a Dell user and install the Dell SupportAssist, you should upgrade to the latest version as soon as possible because an attacker will start using it.