View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

PC Doctor Plays Down Vulnerability that Affects “100 Million” PCs

It wasn't me says Dell...

By CBR Staff Writer

PC-Doctor, a supplier of computer diagnostic systems installed on over 100 million computers, has played down the dangers of a severe vulnerability in its software that was exposed this week by a cybersecurity startup, SafeBreach Labs.

The comments came after SafeBreach reported the vulnerability to Dell, which subsequently pushed out a patch on May 28, followed by a security advisory yesterday.

The Bay Area-based security firm had identified the flaw by probing Dell’s SupportAssist software, which is underpinned by PC-Doctor.

Dell told Computer Business Review that 90 percent of affected systems had already been updated as of Friday morning. Numerous other OEMs are likely affected.

In comments emailed to Computer Business Review, Reno, Nevada-based PC-Doctor any suggested the exploit would be challenging.

“To exploit this vulnerability, an administrative user or process must change the system’s PATH environment variable to include a folder writeable by non-admin users, and craft a DLL that exploits PC-Doctor’s administrative privileges. It is not possible to exploit this vulnerability without modifying default Windows settings.”

The company added: “The vulnerability was reported against PC-Doctor’s Dell Hardware Support Service, which is included with Dell’s SupportAssist, but also affects PC-Doctor Toolbox for Windows. Both products are persisted to systems to monitor for hardware issues and can be run on-demand. Urgent fixes were initially made available between 5/28/2019 and 6/17/2019.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Dell Forced to Push Out Patches 

Researchers at SafeBreach Labs probing Dell’s hardware support service discovered that it executes numerous PC-Doctor executables that collect data about the PC’s operating system and hardware. The executables load DLL libraries that have permission to collect data from an array of system sources.

The issue arises when the systems loads .dll files in an insecure manner, allowing someone to create and load .dll files of their own creation from an unsigned code library contained within their own folders.

Dell were quick to inform us that: “The vulnerability discovered by SafeBreach is a PC-Doctor vulnerability, a third-party component that ships with Dell SupportAssist for Business PCs and Dell SupportAssist for Home PCs.”

PC-Doctor Vulnerability Allows Privilege Escalation 

Researchers at SafeBreach Labs note that when the system is searching and loading code for the DLL library it is using LoadLibraryW instead of LoadLibraryExW, this allows a user to define the search order with particular flags so that the system will load the DLL file located in the users own folders.

Dell Vulnerability

Image Source: SafeBreach Labs

Peleg Hadar, Security Researcher at SafeBreach Labs commented in his report that: “In my VM, the c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes the privilege escalation simple and allows a regular user to write the missing DLL file and achieve code execution as SYSTEM. It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts, and (2) modify the system’s PATH variable to include that directory.”

This allows an unauthorised user to escalate their privileges in the system.

Dell Vulnerability

Image Source: SafeBreach Labs

In a security advisoryu warning issued yesterday evening Dell state that the vulnerability affects: “Dell SupportAssist for Business PCs version 2.0 and Dell SupportAssist for Home PCs version 3.2.1 and all prior versions.”

See Also: Medical Workstation Used in Numerous Medical Centres At Risk of Remote Hacking

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.