
Remote Code Execution on Most Dell Computers - evanwalsh
https://d4stiny.github.io/Remote-Code-Execution-on-most-Dell-computers/
======
cryptonector

      OEM: Let's differentiate our otherwise
           commodity hw product!
      OEM: I know, let's add value with bundled
           software the customer can't uninstall!
    

Then the bundled software turns out to (inevitably) be useless vulnerable
garbage. Inevitably because a) the customer doesn't need it, b) it's
engineered with all the effort that normally goes into adware for captive
audiences (i.e., _minimal_), which means it will be vulnerable.

Here's an idea:

    
    
      OEM: Let's differentiate our otherwise
           commodity hw product!
      OEM: Let's add NO bundled software.
    

That would be fantastic.

~~~
LeoPanthera
It works, too. This is partly why the iPhone was so popular, at first. It's
been so long now that probably everyone has forgotten, but before the iPhone,
essentially every smartphone on the market was fully loaded with trialware,
crapware, and often had hardware features locked out by software so that you
could pay extra to unlock them.

I remember one particular phone that had four user-configurable hardware
buttons, but Verizon had locked them down so that they _all_ opened the
Verizon ringtone store.

The iPhone was a breath of fresh air if only for its software.

~~~
iClaudiusX
Even a brand new, unlocked, $1000 Samsung Galaxy S10 comes riddled with adware
and spyware, some of it unremovable:

"There are apps from Flipboard and Spotify as well as a unremovable version of
Facebook. McAfee Anti-virus is baked into the operating system as "security,"
and the Samsung Gallery app wants to share my location with Foursquare. The
storage management settings, which is just a simple file-cleanup app, is
"Powered by Qihoo 360," a Chinese security company. A caller-ID feature built
into the phone app is provided by a company called "Hiya."

Once you run through setup and connect to Wi-Fi, the phone spawns an
undismissable "Secure Wi-Fi" notification, which, it turns out, is an ad for
McAfee VPN subscription service. I tried blocking the notification—it's not
blockable—but it turns out you can open the advertisement, carefully consider
subscribing to McAfee VPN, say "No," and then it will go away. Cool."

[https://arstechnica.com/gadgets/2019/04/galaxy-s10-review-
fo...](https://arstechnica.com/gadgets/2019/04/galaxy-s10-review-
for-1000-samsung-needs-to-offer-a-more-complete-package/2/)

~~~
tbrock
I don't understand why folks subject themselves to this for $1000 when other
options are available.

You don’t have to keep supporting Samsung by buying their phones. Get a pixel
instead.

~~~
sfifs
Google branded hardware has a notorious reputation for problems about 1-1.5
year down the road. This has happened with every single Google device anyone
in my family has ever owned and so we've basically stopped buying Google. Very
few manufacturers apart from Samsung come close to Apple in terms of sheer
hardware quality and service support and Apple OS's lack of customisability,
pathetic camera and lack of 3.5mm jack completely rules it out for me. That's
basically why I have paid a premium for Samsung over the years. I may look at
Huawei too now that they appear to have significantly upped the hardware
quality game.

Being virtually stock Android, pre-installed software is easily disabled (even
FB) - the only major complaint is inability to assign Bixby button to
something else without rooting.

~~~
saulrh
? I used a Nexus 5 up until last year. Ended up upgrading last year, not
because it had issues or because lineage stopped releasing for it, but because
IT at my new job refused to let six-year-old devices on the network.
Meanwhile, my parents complained continuously about their three-year-old
iPhones getting slower and slower. Anecdotes, yeah, but...

~~~
aosmith
My nexus 5 still works, I don't use it anymore but the thing was an absolute
tank.

~~~
robocat
Nexus 5 was not a tank in my experience.

On mine the plastic frame cracked between the power button and the volume
control (I think a reasonably common problem with this phone, I've never had a
frame crack on any other phone). After that one button gets stuck on, which
makes phone cycle reboot - OK - I can workaround that. Then the microphone
went bad: that is caused by the crack causing pressure on the micro-connector
which causes an electrical issue. That wasted more time and eventually my
workaround for that issue failed.

I have had close experience with 5 different Nexus devices, and 4 of the 5 had
nasty failure modes.

The Nexus line has been far less reliable than the iOS devices I have had
experience with, and all the Apple devices got far more security updates over
their useful life. Note: I usually use Android phones and iPad tablets
(although I have also personally had iPhones and Android tablets).

~~~
sannee
The soft plastic casing definitely cracks easily. On the other hand it does
not fail catastrophically. I have dropped my Nexus 5 on the floor more times
than I can count and while it has miniature cracks around the button/power
connector it's nothing that prevents the phone from working.

~~~
robocat
> On the other hand it does not fail catastrophically

So my two complete failures due to the crack were not "catastrophic" then?

The case cracking is common, and those two failures were common enough: most
users would consider the phone uneconomic to fix, and not everyone has my
tenacity or skill to waste time fixing their phone.

I also think it was that phone where the flash slowed enough to make it barely
usable.

Back on topic.

The only Nexus I have had that hasn't had a problem was a Samsung Nexus 10
(still goes, but stuck on insecure Android 5.1).

The only Samsung phone I have had was the original Galaxy Nexus, which was
still going when I gave it away last year. It's problems were: 1. screen
burnin (OLED) and 2. Google didn't release Android 4.4 (due to TI dropping
OMAP4 support?) even though 4.4 came out within 2 years. That phone cost more
than an iPhone 4. My colleagues got iPhone 4 phones at the same time, and they
got updates for twice as long and their phones remained useful for far longer.

So my experience with Samsung hardware has been good. I have always avoided
buying Samsung because I hate their modified Android versions and lack of
updates.

------
anotheryou
There is also the neat tool "Dell Display Manager". The only way to avoid the
moody touch buttons on some Dell monitors to change their brightness:

\- updates served via HTTP through the browser only

\- as a binary (exe)

\- from a domain other than dell.com (delldisplaymanager.com)

\- signed by a 3rd party (En Tech Taiwan)

\- and nagging about updates every reboot

(you can get an outdated version via dell.com, but it will want to update
through said channel immediately)

(And I bet this one gets pinged for updates, having the full url to the exe in
the update check:
[https://www.entechtaiwan.com/updates/public/ddm.inf](https://www.entechtaiwan.com/updates/public/ddm.inf)
)

~~~
Liskni_si
Not the only way. I used to use ddctool [0] to change brightness on monitors
and it worked even with some cheap old Benq displays. Unfortunately Linux
doesn't support DDC over DisplayPort Multi-Stream Transport, but you won't
need to worry about that. All you need is some Windows alternative to ddctool.
This was the first search hit:
[https://www.clickmonitorddc.bplaced.net/](https://www.clickmonitorddc.bplaced.net/)

[0]:
[https://github.com/danielng01/ddctool](https://github.com/danielng01/ddctool)

~~~
anotheryou
Oh thank you!

I have an auto hotkey script triggering the DDM, but it's not working well.

------
jniedrauer
General sanity aside, the whole exploit hinges on the fact that they used
string parsing to check for the prefix "http". This wouldn't have been
exploitable if they used a proper URL library.

~~~
bennofs
URL parsers also have bugs (or at least don't all agree on one parsing if you
rely on more than one parser). Just take a look at
[https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-
Tsai-...](https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-
Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-
Out-2.pdf) for some fun examples.

~~~
anfilt
I watched that talk a while ago. It convinced of one thing you should only
have one URL parser in a project, and don't pass a url to any thing that may
parse it differently.

It also made it clear that trying to use a URL to restrict stuff is a bad
idea. Like the dell updater could only load signed requests which means an
attacker would have to get dell's private key for signing.

------
orf
I found something similar to this a few years back[1], where the daemon would
download and run anything if just “dell” was in the referring host. It seems
they have improved the security somewhat by using white lists, but their
coding practices seem a bit shoddy. Why have an SDK token at all if it’s
public and globally shared?

I wouldn’t be surprised if a lot of the code was shared between the previous
incarnation that I found an issue with and this pre-installed version.

1\. [https://tomforb.es/dell-system-detect-rce-
vulnerability/](https://tomforb.es/dell-system-detect-rce-vulnerability/)

------
throwaway5752
Dell service advisory (DSA):
[https://www.dell.com/support/article/us/en/19/sln316857/dsa-...](https://www.dell.com/support/article/us/en/19/sln316857/dsa-2019-051-dell-
supportassist-client-multiple-vulnerabilities?lang=en) (from this submission)

first CVE:
[https://nvd.nist.gov/vuln/detail/CVE-2019-3718](https://nvd.nist.gov/vuln/detail/CVE-2019-3718)
(from DSA)

second CVE:
[https://nvd.nist.gov/vuln/detail/CVE-2019-3719](https://nvd.nist.gov/vuln/detail/CVE-2019-3719)
(also from DSA, this is the exploit described in this submission)

------
DoofusOfDeath
Beautiful writeup. I'm a developer but never work on web stuff, and even I
found the story interesting and readable.

~~~
hazelnut
totally agree. and that guy is 17!

~~~
hypervis0r
Only 355687428096000 years old? Mustn't have even finished college!

------
GordonS
Given this is an RCE, and affects so many machines, does anyone else think
it's unreasonable that it took Dell 5 months to fix this?

Aside from anything else, it would have been _terrible_ publicity for Dell if
an exploit for this vulnerability was used in a large malware campaign - I
just don't get why they would wait so long to fix it.

------
AdmiralAsshat
I've seen something similar when I open Dell's site. uMatrix shows an attempt
to run a localhost script, which looks shady as hell.

I've never let that run. Much easier to just flip the laptop over, enter the
six digit service code, and see if there are any new drivers/BIOS updates
available for my laptop.

------
ergothus
I've not yet seen anyone comment on the fact that Dell was informed in late
Oct, confirmed by late Nov...and the public was advised in mid April. That's a
lot of time for a known and confirmed vulnerability to be undisclosed, isn't
it?

~~~
obisw4n
I'm not surprised in the least, they have a Bugcrowd program and I've
submitted atleast one P2 that took months to fix, and best of all - they don't
pay bounties! what a joke if you ask me.

------
elagost
I don't think there will ever come a time when 1) savvy users will stop
suggesting/recommending clean Windows installs on new computers and 2) OEM
bloatware will stop being crap.

I clean-installed Win10 recently. There was no driver installation I had to do
- everything works great, and there are no unidentified devices in Device
Manager. Say what you will about Windows 10, but that part is really cool.
Save for video cards, the pack-in drivers are often better and less hassle.
Plus they auto update.

~~~
ericfrederich
I have a Lenovo Thinkpad Yoga x1. I'm afraid to reinstall fresh Windows
because of stylus

~~~
robk
Works fine w one exe from Lenovo

------
taspeotis
The author exploited this by adding a space to the URL so it no longer started
with [http://](http://) rather (space)[http://](http://) but it looks like the
call to Replace would be ineffective if the URL started with HTTP:// as well.

    
    
        bool flag2 = file.Location.ToLower().StartsWith("http://");
        if (flag2)
        {
            file.Location = file.Location.Replace("http://", "https://");
        }
    

I trust the new version isn’t vulnerable to this...

~~~
BillDemirkapi
There were a bunch of ways to bypass the check. For example another way would
be to use "http:\\\" which wouldn't get detected either. The new version isn't
vulnerable.

------
davidw
Dell Computers running Windows, it looks like?

~~~
xeromal
Yeah, 99% of dell computers

~~~
basetop
Sadly. It disappoints me so much that linux hasn't been able to crack Windows
dominance on desktop/laptop. I was sure that as more people became computer
"literate", they'd shift to linux or bsd in droves. Boy was I wrong.

~~~
MagicPropmaker
I'm very computer literate. That's why I run Windows 10, and Linux / BSD in a
VM. I want to get things done.

------
gloflo
Slightly tongue in cheek to counter the anti-(Chinese/Russians) tone in recent
times:

Seeing how close Dell (both the company and the man) are to the US government,
surely this is a backdoor by the Americans?

~~~
kpU8efre7r
Is the anti-China or anti-Russia unwarranted?

Dell fucked up and should be held accountable. Being in America they will more
than likely face legal action of some sort over this. I would hope so anyway.

~~~
delfinom
>Being in America they will more than likely face legal action of some sort
over this.

Which America are talking about here? The one that let Equifax off scott free
for leaking the entire countries personal financial info with security that
resembles geocities?

Dell won't get punished for shit.

~~~
kpU8efre7r
You mean the Equifax, the company currently being sued for that?

[https://www.law.com/dailyreportonline/2019/01/28/judge-
oks-e...](https://www.law.com/dailyreportonline/2019/01/28/judge-oks-equifax-
lawsuit-over-massive-data-breach/)

------
albertgoeswoof
This is exactly why you should remove any bundled software from vendors and
try to start afresh when picking up a new machine.

~~~
NullPrefix
Lenovo pulled a stunt before where they loaded their "extra software" inside
UEFI to be installed by Windows after a fresh install.

~~~
josteink
That caused so much of a backlash that they released a new BIOS version
without that stuff. As was absolutely fair.

Abusing Windows' ability to obtain HW-drivers though UEFI (something which can
be used for good) to bundle shit-ware is just absolutely rotten.

~~~
deogeo
Fair would be sending executives to jail for hacking. Releasing a non-
backdoored BIOS was the absolute minimum.

Edit: As pointed out by josteink, the BIOS wasn't backdoored - it was used to
install a backdoor. But calling what it installed "insecure Windows-software"
is also inaccurate. According to
[https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci...](https://en.wikipedia.org/wiki/Superfish#Lenovo_security_incident),
its purpose was man-in-the-middle attacks against the user. So I still think
criminal liability and jail time would be just. Ordinary people have been sent
to jail for far less.

~~~
josteink
To be fair and technically correct, the BIOS itself was not backdoored.

The BIOS itself was fine, but it contained insecure Windows-software which it
requested/instructed _Windows_ to install.

Install any other OS (like Linux) and there would be no backdoor at all.

To be clear I’m not trying to defend Lenovo’s actions here, I’m just trying to
be clear about what this incident was actually about. The simplistic
description is IMO a bit too simplistic in this case.

------
_bxg1
Sounds like the attacker has to be on the local network (or presumably VPN) to
use the exploit? If so that's a nontrivial hurdle in many cases.

~~~
Tehnix
Like a WiFi at a café or airport?

~~~
Tharkun
Public WiFi networks really should use client isolation. Sadly, many don't.

~~~
euroclydon
You can just go to a public place and run your own hotspot.

~~~
codedokode
And use a name and SSID of some well-known public WiFi network. Then make a
captive portal to force the user open an attacker-controlled page in a
browser.

------
bredren
What is the bounty on a report like this, and does Dell operate an official
bug bounty program? How much do you think a report like this should be worth?

"Dell bug bounty program" and the like don't turn up obvious results to me.

~~~
BillDemirkapi
Unfortunately Dell doesn't pay bounties no matter how serious the bug is.

~~~
f311a
Dell could send you a laptop at least.

------
markbnj
Preinstalled crapware is one of the main reasons I still build my own
desktops. Back when I used to buy Dells or HPs for the kids I always began the
relationship with a reformat and reinstall. That was easy for me at the time
because I had a complete MSDN sub with access to all versions of MS operating
systems.

------
codedokode
Cannot this vulnerability be exploited by creating a free wi-fi access point,
opening a captive portal on user's device and attacking them from there?
Another option is to wait until the victim requests something with HTTP (some
ad networks still use it) and inject the payload into the traffic.

~~~
BillDemirkapi
Yep.

------
kristianp
Intel has a similar update assistant that runs on thinkpads at least:
[https://www.intel.com/content/www/us/en/support/intel-
driver...](https://www.intel.com/content/www/us/en/support/intel-driver-
support-assistant.html)

------
nanahgafvsva
Nice writeup! Only feedback is it seems like you dont need to dna hijack
anything. Seems like you can just register localhost-lollolanything.com and
pull the attack off, no?

~~~
c-
There's code that checks for the domain ending in .dell.com (etc) so it
wouldn't work.

------
Iv
tl;dr:

A software opens a port to allow a remote website trigger "download and
execute" actions on a URL pointing to an .exe file.

The security check they have is that they check the domain is dell.com and
that the string starts with "[https://"](https://"). If it starts with
[http://](http://) it is replaced by the https version. In theory I could
consider this risky but safe.

The mistake is that they do not force a URL that starts with something else to
fail. The attacker could bypass the check by providing "
[http://fakedns.dell.com/haxorz.exe"](http://fakedns.dell.com/haxorz.exe")
(with a space at the beginning) and it passed the check.

This is not the first flaw of this style I am seeing. I don't think a teacher
ever explicitly told it to me but I always assumed that relying on DNS for
authentication was a dangerous thing to do and that URLs were doing too many
things behind the scenes to be trustworthy without being extremely picky.

Maybe it all changed with https, but trusting the execution of an exe without
at least checking the a crypto signature lights some red flags in my brain.

------
daveheq
I thought this was old news... I swear I heard and read about this last year,
maybe even before mid-year.

------
Hamuko
A lot of government computers around this part of the world are Dell
computers. Hopefully enterprise customers get fresh Windows installations.

------
pojntfx
Use Linux.

------
lopmotr
This doesn't sound quite as scary as the title. You still have to do one of
these things that will all be nearly impossible in general. It's not like you
can just set up a website and wait for victims to visit it.

\- XSS on one of Dell's sites.

\- Find a Subdomain Takeover vulnerability on a Dell site.

\- Make the request from a local program.

\- DNS Hijack the victim.

~~~
sannee
> \- DNS Hijack the victim.

This is the trivial one. You can just set up a free Wi-Fi access point next to
a restaurant that people from company-you-want-to-hack like to visit.

------
Jacksoft
HP use a similar service (HP support assistant) that permits HP website to
discover your machine and driver. It would be nice to discover if it have the
same vulnerability...

------
olefoo
Hmm. I have a Dell laptop, but replaced Windows 10 with Ubuntu. I doubt I'm
vulnerable to that... but my security stance is probably not as strong as it
could be.

------
ocdtrekkie
Feel pretty validated on my decision that the OEM doesn't need a support
backdoor on PCs. SupportAssist looked like a remote access tool combined with
PC-Doctor.

------
Tiki
I bought an Alienware that cost 4300$ last year, and that's after 900$ in
savings.

The computer arrived in a box that had 2 handle sized holes in it and I could
see the computer directly exposed from the outside without the box being open.
It had shipment dust and debris INSIDE THE BOX. It's the saddest, cheapest,
most sorry ass excuse for a shipment I've ever seen. I took pictures, I
couldn't believe it.

Then I booted it up and was inundated with Dell pre-installed software. Wiped
the thing clean, got a Win10 ISO directly from MS and called it a day. This
will be the last Dell I ever buy. Lesson learned.

------
bayareanative
Speaking of exploits... aren't nearly all Intel-processor systems vulnerable
to attacks against IME?

Has anyone disabled IME by putting it into HAP mode or another mode?

------
amaccuish
If this was Huawei it'd be called a backdoor.

------
chunsj
Is this related to Dell Computers (so it does include laptops with Linux OS)
or Windows OS (which I mean spywares on Windows OS)?

------
Jonnax
Intel also has a similar tool that you install to check for updates and you
visit a web page to get your updates.

Does it work in a similar way?

------
nldoty
I really wish it was possible to purchase hardware from any manufacturer with
this stuff removed.

~~~
taspeotis
Microsoft sort of try with “Windows Signature.”

[https://www.laptopmag.com/articles/microsoft-signature-
editi...](https://www.laptopmag.com/articles/microsoft-signature-edition-
windows-10-analysis)

------
peter_d_sherman
First off, great article.

But, like so many other articles about security vulnerabilities, there seems
to be a general attitude among most people (including many IT shops) that
"it's an isolated incident", and "the experts will fix it...".

"It's an isolated incident", and "The experts will fix it...".

They said the same thing about Spectre, Meltdown, Rowhammer attacks, what have
you.

"It's an isolated incident", and "The experts will fix it...".

Well, if you read HN long enough, you'd know that there's too much of this on
too regular a basis to continue to espouse those views.

I'm going to go for broke here.

I'm going to put on my conspiracy "what if" tin-foil hat, and ask two
questions.

The first is related to Virus-Checking and Security Software -- like Norton,
McAfee, etc. how do we know that any of it doesn't contain remote code
execution (aka major security) vulnerabilities?

You see, if I were the bad guys, _that 's where I'd put it_.

Also, let's say you have Nation States. Could you see one of these guys
"persuading, for the good of their country" one or more of their same-
nationality corporations to put such vulnerabilities into their "Security"
software?

In other words, maybe you have a Chinese producer of anti-virus/security
software, and maybe it has little "surprises" for non-Chinese Citizens.

Maybe you have an American producer of anti-virus/security software, and it
too has little "surprises" for non-American Citizens.

You see? Nation A thinks that it's permissible and OK for it to compromise
Nation B's "Security" software. And Nation B thinks the same thing, but in
reverse.

Even if Nation States are removed from the equation, you still have the Virus
Checker/Security software company themselves. How do you know that random
employees at that company haven't tainted that software in some way?

In other words, "Who guards the guardians?"

Which is my second question.

It's an ancient philosophical question.

"Who guards the guardians?"

We The People - do not seem to be doing such a good job these days...

All I know is that you might be seeing a whole lot more "isolated incidents"
that "the experts will have to fix" in the future, unless We The People - step
up to the plate...

~~~
ilaksh
Well I think it's very possible that backdoors are set up by governments like
you say.

But I also think that even if they don't, it also seems very possible that
vulnerabilities are quite common as mistakes. Just due to the realities of
security.

In my opinion security is much more difficult than people realize.

For example in this case there seems to be a majority opinion something along
the lines of "What an idiot! _I_ would never make that mistake!". It's much
easier to say that in hindsight than it is to really execute secure code that
no one can defeat. The response might be "well, no one broke into any of _my_
systems so far" and I would say .. how do you know they didn't? And also,
maybe no one bothered to try to exploit you because you are not a high value
target. Or they are just busy and will get to trying to penetrate you next
week.

I think this is due to the complexity of software and IT rather than general
negligence.

~~~
jondubois
Yes I don't think that the government needs to plant vulnerabilities to get
backdoors into people's machines. Finding vulnerabilities is not that
difficult. The more moving parts you have and the more complex the code is,
the more likely it is that there are vulnerabilities in the software.

------
option_greek
That's one of those garbage apps i proactively removed. Thank God.

------
dontbenebby
Do they also install this stuff on their linux offerings? :/

------
thrower123
Amazing, Dell bullshit antivirus is bullshit

------
itslennysfault
Glad I wiped my XPS and put Ubuntu on it.

------
m00dy
I'm not going to buy Dell again...

~~~
the_pwner224
This is an exploit in the shitty software that OEMs put on their Windows
images. Stuff like this is practically universal (minus Apple), and the fact
that Dell hasn't (AFAIK) actively bundled very evil malware with their
computers makes them far from the worst offender.

~~~
tssva
Apple bundles plenty of software on their computers which I don't want, have
never used, which increase the potential attack surface and which I can't
uninstall. For example Apple Maps, Apple News, Home, and Books. In fact you
can't uninstall any of the apps shipped with macOS. Not even the chess
program.

~~~
MagicPropmaker
Exactly! With Windows you do have choices. I bought a desktop PC from
ThinkMate configured exactly as I wanted it with a plain vanilla Windows 10.

~~~
carleton
As another user said- "It's barely 5 megabytes.. and it's probably not
connecting to anything.

The protections for pre-installed apps help to make sure nothing else tampers
with them, e.g. injecting some malware, but I'm sure you can remove those
protections and reclaim the 5 MB if you really wanted to."

[1]
[https://news.ycombinator.com/item?id=19803067](https://news.ycombinator.com/item?id=19803067)

~~~
tssva
Chess was given as an example because it is the most ridiculous thing that
can't be removed. See
[https://news.ycombinator.com/item?id=19809880](https://news.ycombinator.com/item?id=19809880)
for my full response to the other user.

------
joshlegs
`DiableInstallNow` i liked this json key in the api

