Saturday, October 12, 2024
HomeComputer SecurityCritical DLL Hijacking Vulnerability in PC-Doctor For Windows Let Hackers Attack Hundreds...

Critical DLL Hijacking Vulnerability in PC-Doctor For Windows Let Hackers Attack Hundreds of Million DELL Computers

Published on

Malware protection

A critical DLL hijacking vulnerability resides in PC-Doctor Dell Hardware Support Service software allows attackers to escalate the vulnerable systems privilege and gain persistence access.

Dell SupportAssist is pre-installed software on hundreds of million Dell PCs that helps to check both software and hardware system health which requires higher level permission to provide effective health results.

SupportAssist leverages a component developed by the PC-Doctor to access sensitive hardware including RAM, PCI, SMBios and it is preinstalled on most of Dell devices running Windows. 

- Advertisement - SIEM as a Service

Researchers start focused on a critical “Dell Hardware Support” service in order to find the vulnerability since it required high permission level access to the PC hardware and it provides privilege escalation capabilities.

DLL Hijacking Vulnerability

Once the Dell Hardware Support service starts running on Windows, it executing the DSAPI.exe which in turn executes pcdrwi.exe.

After this process starts, all the executables load DLL libraries that all are collecting the sensitive system information from both hardware and software.

In this case, researchers discovered three of the p5x executable are trying to find the following DLL files on the c:\python27 directory.

According to safebreach research, “the c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes the privilege escalation simple and allows a regular user to write the missing DLL file and achieve code execution as SYSTEM. “

PC-Doctor codes and p5x modules are mostly using a utility library named Common.dll which provide the various important functions including the option to load a DLL file.

Researchers describe the following two root causes for the vulnerability that allows attackers to execute the arbitrary code on a vulnerable system.

1. The lack of safe DLL loading. The code is using LoadLibraryW, instead of using LoadLibraryExW; this allows an unauthorized user to define the search order using certain flags, such as LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR. This, in turn, searches the DLL only in its own folder, avoiding the scenario of searching the DLL in the PATH variable.

2. No digital certificate validation is made against the binary. The program doesn’t validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL.

This critical DLL hijacking vulnerability let attackers load and execute malicious payloads by a signed service which can be abused by an attacker for other purposes such as execution and evasion.

“Researchers discovered that this vulnerability affects additional OEMs which use a rebranded version of the PC-Doctor Toolbox for Windows software components”

Dell released of SupportAssist for Business 2.0.1 and Home PCs 3.2.2 with the patch for this vulnerability and users will receive the auto update since it enabled by default.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

Most of the Dell Computers Vulnerable to Remote Hack Through Pre-Installed SupportAssist Software

Dell Hacked – Data Breach Exposed Names, Email addresses & Hashed Passwords

New Version of Echobot Botnet using 26 Powerful Exploits to Attack Oracle, D-Link, Dell Apps

Multiple Vulnerabilities with Pre-installed Packages open Dell systems to Hack

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Digital Wallets Bypassed To Allow Purchase With Stolen Cards

Digital wallets enable users to securely store their financial information on smart devices and...

Best SIEM Tools List For SOC Team – 2024

The Best SIEM tools for you will depend on your specific requirements, budget, and...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...