This specific subject was already talked in mid-November 2014 when it was discovered and reported to Dell which patched it in January 2015, but it’s uncertain if the fix closed all the “holes”.
The faulty application it’s called “Dell System Detect” and is used by Dell computer owners when access Dell’s support website for the first time. The main purpose of the tool is to detect the product in use by the client and providing the drivers for the hardware.
Besides this, the software could be used to force the system to download and silently install malicious programs. Forbes discovered the way to trigger the ” downloadandautoinstall function” and creates a python script that generate valid authentication tokens:
“So in conclusion we can make anyone running this software download and install an arbitrary file by triggering their web browser to make a request to a crafted localhost URL,” “This can be achieved a number of ways, and the service will faithfully download and execute our payload without prompting the user.”
Tom also explained that Dell patched the software in 9 of January, blocking the original exploit, but Tom couldn’t check how the authentication is made in the new software version because now Dell obfuscated the program’s code (that makes reversing it very, very difficult).
Let’s close the post by using the comment provided by Tom Forbes:
“So in conclusion we can make anyone running this software download and install an arbitrary file by triggering their web browser to make a request to a crafted localhost URL. This can be achieved a number of ways, and the service will faithfully download and execute our payload without prompting the user.”
“I don’t think Dell should be including all this functionality in such a simple tool and should have ensured adequate protection against malicious inputs. After contacting Dell and discussing the issue with their internal security team they pushed out a fix that included obfuscating the downloaded binary. While I cannot be sure I think they simply changed the conditional from “if dell in referrer” to “if dell in referrer domain name”, which may be slightly harder to exploit but just as severe. There is now also a big agreement you have to accept before downloading that specifies what the software can do.”
About the Author Elsio Pinto
(Security Affairs – Dell System Detect, Dell)