A critical DLL hijacking vulnerability resides in PC-Doctor Dell Hardware Support Service software allows attackers to escalate the vulnerable systems privilege and gain persistence access.
Dell SupportAssist is pre-installed software on hundreds of million Dell PCs that helps to check both software and hardware system health which requires higher level permission to provide effective health results.
SupportAssist leverages a component developed by the PC-Doctor to access sensitive hardware including RAM, PCI, SMBios and it is preinstalled on most of Dell devices running Windows.
Researchers start focused on a critical “Dell Hardware Support” service in order to find the vulnerability since it required high permission level access to the PC hardware and it provides privilege escalation capabilities.
DLL Hijacking Vulnerability
Once the Dell Hardware Support service starts running on Windows, it executing the DSAPI.exe which in turn executes pcdrwi.exe.
After this process starts, all the executables load DLL libraries that all are collecting the sensitive system information from both hardware and software.
In this case, researchers discovered three of the p5x executable are trying to find the following DLL files on the c:\python27 directory.
According to safebreach research, “the c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes the privilege escalation simple and allows a regular user to write the missing DLL file and achieve code execution as SYSTEM. “
PC-Doctor codes and p5x modules are mostly using a utility library named Common.dll which provide the various important functions including the option to load a DLL file.
Researchers describe the following two root causes for the vulnerability that allows attackers to execute the arbitrary code on a vulnerable system.
1. The lack of safe DLL loading. The code is using LoadLibraryW, instead of using LoadLibraryExW; this allows an unauthorized user to define the search order using certain flags, such as LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR. This, in turn, searches the DLL only in its own folder, avoiding the scenario of searching the DLL in the PATH variable.
2. No digital certificate validation is made against the binary. The program doesn’t validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL.
This critical DLL hijacking vulnerability let attackers load and execute malicious payloads by a signed service which can be abused by an attacker for other purposes such as execution and evasion.
“Researchers discovered that this vulnerability affects additional OEMs which use a rebranded version of the PC-Doctor Toolbox for Windows software components”
Dell released of SupportAssist for Business 2.0.1 and Home PCs 3.2.2 with the patch for this vulnerability and users will receive the auto update since it enabled by default.