Remote Code Execution on most Dell computers
Remote Code Execution on most Dell computers
What computer do you use? Who made it? Have you ever thought about what came with your computer? When we think of Remote Code Execution (RCE) vulnerabilities in mass, we might think of vulnerabilities in the operating system, but another attack vector to consider is "What third-party software came with my PC?". In this article, I'll be looking at a Remote Code Execution vulnerability I found in Dell SupportAssist, software meant to "proactively check the health of your system's hardware and software" and which is "preinstalled on most of all new Dell devices".
[...]Back in September, I was in the market for a new laptop because my 7-year-old Macbook Pro just wasn't cutting it anymore. I was looking for an affordable laptop that had the performance I needed and I decided on Dell's G3 15 laptop. I decided to upgrade my laptop's 1 terabyte hard drive to an SSD. After upgrading and re-installing Windows, I had to install drivers. This is when things got interesting. After visiting Dell's support site, I was prompted with an interesting option.
[...]"Detect PC"? How would it be able to detect my PC? Out of curiosity, I clicked on it to see what happened.
[...]A program which automatically installs drivers for me. Although it was a convenient feature, it seemed risky. The agent wasn't installed on my computer because it was a fresh Windows installation, but I decided to install it to investigate further. It was very suspicious that Dell claimed to be able to update my drivers through a website.
Here is a link to the Dell advisory.
What could possibly go wrong?
(Score: 3, Insightful) by Snow on Thursday May 02 2019, @07:52PM (8 children)
... to complain about shitty software, so here goes: Razer Synapse
This POS software is required on Razer Mice to map the secondary buttons. This software runs as a service, stores your settings 'In the Cloud' and somehow uses almost 100MB of ram to run.
(Score: 1, Insightful) by Anonymous Coward on Thursday May 02 2019, @08:14PM (4 children)
I looked at some eye-candy Razer keyboards, but they ONLY support Windows and why should a keyboard need a bunch of software on the computer side when some simple firmware and a few buttons can do the job in-device. So a few years ago I already decided never to buy anything Razer.
Interesting article that highlights how far the bad players will go - trying to get in on a major brand. At least Dell are aware and have an advisory out. I guess reading the "installation notes" can be a safety line!
I agree, madware can be on any OS, but the most fun is finding used Dells and replacing the swamp of malware with Linux. In fact, any pre-used machines of almost any brand. Take Lenovo - can you trust their firmware? But then they are now ALL m.i.c. and who knows what chips are calling home to where...
(Score: 0) by Anonymous Coward on Thursday May 02 2019, @08:43PM (2 children)
Is this a fact you've verified yourself? (using a recent kernel) MANY pieces of hardware don't even acknowledge the existence of anything but windoze in its various incarnations. Yet MANY of them work just fine on the penguiny side of life, usually no thanks to the manufacturer/vendor.
(Score: 2) by Snow on Thursday May 02 2019, @08:48PM (1 child)
I think Razer KB/Mice will work in Linuxland, you just won't be able to install the software, which means you won't be able to setup custom keybinding/macros/sensitivity stuff.
It should still work like a 'normal' keyboard though.
(Score: 2, Touché) by Anonymous Coward on Thursday May 02 2019, @09:09PM
Not through their software but probably using normal* Linux methods.
*Not to millenials but to proper grey beards.
(Score: 3, Insightful) by acid andy on Friday May 03 2019, @01:11PM
What makes you so sure US designed hardware hasn't been doing the same thing, even when it wasn't built over there? Management Engine, anyone? Sure you aren't falling for your own country's propaganda? Just because you grow up in a country, doesn't make them necessarily the good guys.
If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
(Score: 0) by Anonymous Coward on Thursday May 02 2019, @09:36PM (1 child)
Huh, I ran across this comment: https://forum.manjaro.org/t/razer-side-buttons/21954/3 [manjaro.org] which makes it sound like you could configure it once then stop/uninstall the windows service and it would still work. If you need that 100MiB of ram back. (maybe for mcafee?)
(Score: 4, Funny) by PartTimeZombie on Thursday May 02 2019, @11:15PM
Hey, come on now, no need for that kind of talk.
(Score: 2) by RS3 on Friday May 03 2019, @12:00AM
Only 100MB? Be happy, most similar spyware hogs up much more RAM than that.