Tuesday, December 24, 2024
HomeComputer SecurityCritical DLL Hijacking Vulnerability in PC-Doctor For Windows Let Hackers Attack Hundreds...

Critical DLL Hijacking Vulnerability in PC-Doctor For Windows Let Hackers Attack Hundreds of Million DELL Computers

Published on

SIEM as a Service

A critical DLL hijacking vulnerability resides in PC-Doctor Dell Hardware Support Service software allows attackers to escalate the vulnerable systems privilege and gain persistence access.

Dell SupportAssist is pre-installed software on hundreds of million Dell PCs that helps to check both software and hardware system health which requires higher level permission to provide effective health results.

SupportAssist leverages a component developed by the PC-Doctor to access sensitive hardware including RAM, PCI, SMBios and it is preinstalled on most of Dell devices running Windows. 

- Advertisement - SIEM as a Service

Researchers start focused on a critical “Dell Hardware Support” service in order to find the vulnerability since it required high permission level access to the PC hardware and it provides privilege escalation capabilities.

DLL Hijacking Vulnerability

Once the Dell Hardware Support service starts running on Windows, it executing the DSAPI.exe which in turn executes pcdrwi.exe.

After this process starts, all the executables load DLL libraries that all are collecting the sensitive system information from both hardware and software.

In this case, researchers discovered three of the p5x executable are trying to find the following DLL files on the c:\python27 directory.

According to safebreach research, “the c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes the privilege escalation simple and allows a regular user to write the missing DLL file and achieve code execution as SYSTEM. “

PC-Doctor codes and p5x modules are mostly using a utility library named Common.dll which provide the various important functions including the option to load a DLL file.

Researchers describe the following two root causes for the vulnerability that allows attackers to execute the arbitrary code on a vulnerable system.

1. The lack of safe DLL loading. The code is using LoadLibraryW, instead of using LoadLibraryExW; this allows an unauthorized user to define the search order using certain flags, such as LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR. This, in turn, searches the DLL only in its own folder, avoiding the scenario of searching the DLL in the PATH variable.

2. No digital certificate validation is made against the binary. The program doesn’t validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL.

This critical DLL hijacking vulnerability let attackers load and execute malicious payloads by a signed service which can be abused by an attacker for other purposes such as execution and evasion.

“Researchers discovered that this vulnerability affects additional OEMs which use a rebranded version of the PC-Doctor Toolbox for Windows software components”

Dell released of SupportAssist for Business 2.0.1 and Home PCs 3.2.2 with the patch for this vulnerability and users will receive the auto update since it enabled by default.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

Most of the Dell Computers Vulnerable to Remote Hack Through Pre-Installed SupportAssist Software

Dell Hacked – Data Breach Exposed Names, Email addresses & Hashed Passwords

New Version of Echobot Botnet using 26 Powerful Exploits to Attack Oracle, D-Link, Dell Apps

Multiple Vulnerabilities with Pre-installed Packages open Dell systems to Hack

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Firefox 133.0 Released with Multiple Security Updates – What’s New!

Mozilla has officially launched Firefox 133.0, offering enhanced features, significant performance improvements, and critical...

Digital Wallets Bypassed To Allow Purchase With Stolen Cards

Digital wallets enable users to securely store their financial information on smart devices and...

Best SIEM Tools List For SOC Team – 2024

The Best SIEM tools for you will depend on your specific requirements, budget, and...