Dell recently patched two security vulnerabilities in its SupportAssist Client, including one that could be exploited to achieve remote code execution.
Tracked as CVE-2019-3718, the first of the vulnerabilities is an improper origin validation flaw that could allow an unauthenticated remote attacker to potentially attempt cross-site request forgery (CSRF) attacks on users of the impacted systems.
The issue has a CVSS score of 7.6 and has been fixed with the release of Dell SupportAssist Client 18.104.22.168.
Tracked as CVE-2019-3719 and featuring a CVSS score of 7.1, the second vulnerability could be exploited by an unauthenticated attacker that shares the network access layer with the vulnerable system to compromise that system.
For that, however, the attacker would need to trick the victim user into downloading and executing arbitrary files via the SupportAssist client, Dell noted in an advisory. The files would be fetched from attacker hosted sites.
Bill Demirkapi, who found and reported the vulnerability, explains that the SupportAssist client fetches drivers from Dell’s website and that communication with the local systems takes place over an exposed REST API on port 8884, 8883, 8886, or 8885, depending on which is available.
The process involves a series of integrity checks, but one of the functions involved in these checks provides the attacker with a lot of ground to work with, the researchers says. The issue can be abused in multiple ways, one of which involves generating a random subdomain name and using an external machine to DNS Hijack the victim and respond to requests with this server instead.
“Some concerning factors I noticed while looking at different types of requests I could make is that I could get a very detailed description of every piece of hardware connected to my computer using the ‘getsysteminfo’ route. Even through Cross Site Scripting, I was able to access this data, which is an issue because I could seriously fingerprint a system and find some sensitive information,” Demirkapi says.
One of the methods exposed by the client would download a file from a specified URL and then run it. Checks are performed to ensure that the right files are downloaded and that they come from Dell’s website.
The exploitation process, the researcher explains, involves tricking the client into accepting a payload that does not come from Dell’s accepted subdomains. After overcoming this obstacle, he was able to set up the attack from a local network.
The researcher also published a demo to show how the vulnerability can be exploited, and made the proof-of-concept code available online.