Fri. Jun 5th, 2020

Security researchers find a security vulnerability in the Dell SupportAssist utility can trigger a remote attack

3 min read

The Dell SupportAssist is a help program for Dell devices that are pre-installed by default on most Dell computers. This support assistant can be used to help users automatically update firmware and drivers, and can also be used to contact a Dell customer support representative if necessary.

Recently, however, researchers have revealed that Dell SupportAssist has serious security vulnerabilities (CVE-2019-3719). If the attacker successfully exploits the vulnerability, it can directly launch a remote attack. At the same time, the Dell SupportAssist itself has administrator privileges, so if exploited by an attacker, the attacker can take over the system and do anything.

Dell SupportAssist vulnerability

The vulnerability was discovered by Bill Demirkapi, a 17-year-old security researcher in the United States, and in some cases, an attacker could easily take over the system using this vulnerability. Wanting to launch an attack relies mainly on inducing users to visit a specially crafted phishing website, and loading a malicious script on the phishing website can invoke the Dell SupportAssist. The malicious script calls Dell SupportAssist can be used to download executable files and execute code, that is, you can directly install the malware in silent mode.

The researchers revealed that

  1. Grab the interface IP address for the specified interface.
  2. Start the mock web server and provide it with the filename of the payload we want to send. The web server checks if the Host header is and if so sends the binary payload. If the request Host has in it and is not the downloads domain, it sends the javascript payload which we mentioned earlier.
  3. To ARP Spoof the victim, we first enable ip forwarding then send an ARP packet to the victim telling it that we’re the router and an ARP packet to the router telling it that we’re the victim machine. We repeat these packets every few seconds for the duration of our exploit. On exit, we will send the original mac addresses to the victim and router.
  4. Finally, we DNS Spoof by using iptables to redirect DNS packets to a netfilter queue. We listen to this netfilter queue and check if the requested DNS name is our target URL. If so, we send a fake DNS packet back indicating that our machine is the true IP address behind that URL.
  5. When the victim visits our subdomain (either directly via url or indirectly by an iframe), we send it the malicious javascript payload which finds the service port for the agent, grabs the signature from the php file we created earlier, then sends the RCE payload. When the RCE payload is processed by the agent, it will make a request to which is when we return the binary payload.

After the researchers notified the vulnerability to Dell a few months ago, Dell has begun to fix and launch a new version to completely block this malicious vulnerability. If you are a Dell user and install the Dell SupportAssist, you should upgrade to the latest version as soon as possible because an attacker will start using it.