SoylentNews is people
SoylentNews
from the makes-the-hairs-on-your-neck-stand-up dept.
Remote Code Execution on most Dell computers
Remote Code Execution on most Dell computers
What computer do you use? Who made it? Have you ever thought about what came with your computer? When we think of Remote Code Execution (RCE) vulnerabilities in mass, we might think of vulnerabilities in the operating system, but another attack vector to consider is "What third-party software came with my PC?". In this article, I'll be looking at a Remote Code Execution vulnerability I found in Dell SupportAssist, software meant to "proactively check the health of your system's hardware and software" and which is "preinstalled on most of all new Dell devices".
[...]Back in September, I was in the market for a new laptop because my 7-year-old Macbook Pro just wasn't cutting it anymore. I was looking for an affordable laptop that had the performance I needed and I decided on Dell's G3 15 laptop. I decided to upgrade my laptop's 1 terabyte hard drive to an SSD. After upgrading and re-installing Windows, I had to install drivers. This is when things got interesting. After visiting Dell's support site, I was prompted with an interesting option.
[...]"Detect PC"? How would it be able to detect my PC? Out of curiosity, I clicked on it to see what happened.
[...]A program which automatically installs drivers for me. Although it was a convenient feature, it seemed risky. The agent wasn't installed on my computer because it was a fresh Windows installation, but I decided to install it to investigate further. It was very suspicious that Dell claimed to be able to update my drivers through a website.
Here is a link to the Dell advisory.
What could possibly go wrong?
(Score: 0) by Anonymous Coward on Thursday May 02 2019, @07:33PM (5 children)
Windows.
(Score: 2) by Snow on Thursday May 02 2019, @07:47PM (3 children)
Oh come on! I like to shit on MS as much as the next guy here (or girl), but this isn't a MS problem, this is a DELL problem.
You can install vulnerable software on any OS.
(Score: 2) by aiwarrior on Thursday May 02 2019, @08:30PM
Well Dell actually sells "Developer Editions" that come with Linux pre-installed and without that crap. But your point stands, this does have anything to do with OS.
The tangential is that Linux people are normally more savvy and probably do not need so much hand holding, like the software in cause provides.
(Score: 2) by jmorris on Friday May 03 2019, @02:10AM
No, Dell is just still using ActiveX, a tech Microsoft developed and inflicted upon the world, strong arming vassals like Dell to adopt the tech. So yes, this is a Microsoft problem at root, but they have abandoned ActiveX for years so it is also Dell's fault because they are still using it. Having seen this particular bit in action, must admit it was pretty slick. What else ya gonna do on a gimped platform without a proper package management system?
In a sane world Windows would have a real package manager and the vendor would simply ship with a vendor repo preconfigured to distribute updates.
(Score: 0) by Anonymous Coward on Friday May 03 2019, @05:50PM
it's directly related to windows. only windows and it's users need manufacturers to manage their drivers and bios updates for them with a goddamn gui, no less. of course this shit is vulnerable to remote code execution. you think the dumbass who writes windows driver management guis for windows for a living knows anything about security? or has any standards or common sense?
(Score: 0) by Anonymous Coward on Thursday May 02 2019, @08:23PM
This type of functionality used to be a feature of ActiveX.