Thursday, March 28, 2024

Critical DLL Hijacking Vulnerability in PC-Doctor For Windows Let Hackers Attack Hundreds of Million DELL Computers

A critical DLL hijacking vulnerability resides in PC-Doctor Dell Hardware Support Service software allows attackers to escalate the vulnerable systems privilege and gain persistence access.

Dell SupportAssist is pre-installed software on hundreds of million Dell PCs that helps to check both software and hardware system health which requires higher level permission to provide effective health results.

SupportAssist leverages a component developed by the PC-Doctor to access sensitive hardware including RAM, PCI, SMBios and it is preinstalled on most of Dell devices running Windows. 

Researchers start focused on a critical “Dell Hardware Support” service in order to find the vulnerability since it required high permission level access to the PC hardware and it provides privilege escalation capabilities.

DLL Hijacking Vulnerability

Once the Dell Hardware Support service starts running on Windows, it executing the DSAPI.exe which in turn executes pcdrwi.exe.

After this process starts, all the executables load DLL libraries that all are collecting the sensitive system information from both hardware and software.

In this case, researchers discovered three of the p5x executable are trying to find the following DLL files on the c:\python27 directory.

According to safebreach research, “the c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes the privilege escalation simple and allows a regular user to write the missing DLL file and achieve code execution as SYSTEM. “

PC-Doctor codes and p5x modules are mostly using a utility library named Common.dll which provide the various important functions including the option to load a DLL file.

Researchers describe the following two root causes for the vulnerability that allows attackers to execute the arbitrary code on a vulnerable system.

1. The lack of safe DLL loading. The code is using LoadLibraryW, instead of using LoadLibraryExW; this allows an unauthorized user to define the search order using certain flags, such as LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR. This, in turn, searches the DLL only in its own folder, avoiding the scenario of searching the DLL in the PATH variable.

2. No digital certificate validation is made against the binary. The program doesn’t validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL.

This critical DLL hijacking vulnerability let attackers load and execute malicious payloads by a signed service which can be abused by an attacker for other purposes such as execution and evasion.

“Researchers discovered that this vulnerability affects additional OEMs which use a rebranded version of the PC-Doctor Toolbox for Windows software components”

Dell released of SupportAssist for Business 2.0.1 and Home PCs 3.2.2 with the patch for this vulnerability and users will receive the auto update since it enabled by default.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

Most of the Dell Computers Vulnerable to Remote Hack Through Pre-Installed SupportAssist Software

Dell Hacked – Data Breach Exposed Names, Email addresses & Hashed Passwords

New Version of Echobot Botnet using 26 Powerful Exploits to Attack Oracle, D-Link, Dell Apps

Multiple Vulnerabilities with Pre-installed Packages open Dell systems to Hack

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles