Friday, March 1, 2024

Critical DLL Hijacking Vulnerability in PC-Doctor For Windows Let Hackers Attack Hundreds of Million DELL Computers

A critical DLL hijacking vulnerability resides in PC-Doctor Dell Hardware Support Service software allows attackers to escalate the vulnerable systems privilege and gain persistence access.

Dell SupportAssist is pre-installed software on hundreds of million Dell PCs that helps to check both software and hardware system health which requires higher level permission to provide effective health results.

SupportAssist leverages a component developed by the PC-Doctor to access sensitive hardware including RAM, PCI, SMBios and it is preinstalled on most of Dell devices running Windows. 

Researchers start focused on a critical “Dell Hardware Support” service in order to find the vulnerability since it required high permission level access to the PC hardware and it provides privilege escalation capabilities.

DLL Hijacking Vulnerability

Once the Dell Hardware Support service starts running on Windows, it executing the DSAPI.exe which in turn executes pcdrwi.exe.

After this process starts, all the executables load DLL libraries that all are collecting the sensitive system information from both hardware and software.

In this case, researchers discovered three of the p5x executable are trying to find the following DLL files on the c:\python27 directory.

According to safebreach research, “the c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes the privilege escalation simple and allows a regular user to write the missing DLL file and achieve code execution as SYSTEM. “

PC-Doctor codes and p5x modules are mostly using a utility library named Common.dll which provide the various important functions including the option to load a DLL file.

Researchers describe the following two root causes for the vulnerability that allows attackers to execute the arbitrary code on a vulnerable system.

1. The lack of safe DLL loading. The code is using LoadLibraryW, instead of using LoadLibraryExW; this allows an unauthorized user to define the search order using certain flags, such as LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR. This, in turn, searches the DLL only in its own folder, avoiding the scenario of searching the DLL in the PATH variable.

2. No digital certificate validation is made against the binary. The program doesn’t validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL.

This critical DLL hijacking vulnerability let attackers load and execute malicious payloads by a signed service which can be abused by an attacker for other purposes such as execution and evasion.

“Researchers discovered that this vulnerability affects additional OEMs which use a rebranded version of the PC-Doctor Toolbox for Windows software components”

Dell released of SupportAssist for Business 2.0.1 and Home PCs 3.2.2 with the patch for this vulnerability and users will receive the auto update since it enabled by default.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

Most of the Dell Computers Vulnerable to Remote Hack Through Pre-Installed SupportAssist Software

Dell Hacked – Data Breach Exposed Names, Email addresses & Hashed Passwords

New Version of Echobot Botnet using 26 Powerful Exploits to Attack Oracle, D-Link, Dell Apps

Multiple Vulnerabilities with Pre-installed Packages open Dell systems to Hack


Latest articles

Golden Corral restaurant chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

BEAST AI Jailbreak Language Models Within 1 Minute With High Accuracy

Malicious hackers sometimes jailbreak language models (LMs) to exploit bugs in the systems so...

Hackers Hijack Anycubic 3D Printers to Display Warning Messages

Anycubic 3D printer owners have been caught off guard by a series of unauthorized...

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

Stellar Cyber, the innovator of Open XDR, today announced that RSM US – the leading provider...

Biden Crack Down Sale of Americans’ Personal Data to China & Russia

To safeguard the privacy and security of American citizens, President Joe Biden has issued...

Kali Linux 2024.1 Released – What’s New

Kali Linux recently released version 2024.1, the first release of the year 2024, with...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles