OEM: Let's differentiate our otherwise
commodity hw product!
OEM: I know, let's add value with bundled
software the customer can't uninstall!
Then the bundled software turns out to (inevitably) be useless vulnerable garbage. Inevitably because a) the customer doesn't need it, b) it's engineered with all the effort that normally goes into adware for captive audiences (i.e., _minimal_), which means it will be vulnerable.
It works, too. This is partly why the iPhone was so popular, at first. It's been so long now that probably everyone has forgotten, but before the iPhone, essentially every smartphone on the market was fully loaded with trialware, crapware, and often had hardware features locked out by software so that you could pay extra to unlock them.
I remember one particular phone that had four user-configurable hardware buttons, but Verizon had locked them down so that they all opened the Verizon ringtone store.
The iPhone was a breath of fresh air if only for its software.
Second product for this mythical OEM should just be a TV with an instant-on button and as many hdmi ports that will fit given a small-as-possible bezel. One model per year per common size->one price. Big sale on thanksgiving and then the slightly better ones come out.
EDS - Remember that big huge company H.Ross Perot Ran? - We TRIED to buy PCs from hardware vendors without Windows. They refused due to how Bill locked them into contracts. If it was to run Windows, then Windows was shipped with every single hardware sale. On the bill of lading.
Government doesn't pay for stuff they don't use. Didn't want Windows if they were to run UNIX (Santa Cruz Operations XENIX System 5, to be precise). Wonder why some people at SCO went crazy and snorted their futures? Blame Bill.
I was just setting up a slightly older System76 desktop this evening when I came across how they handle firmware updates [1]. That's very impressive to me, showing concern about only using blobs when there's no other option, being transparent about signing, and explaining their QA process, not to mention the whole utility being open-sourced. That's worlds ahead of any other OEM PC manufacturer I've ever seen.
OEM: how can we make money on a commodity platform, when someone else controls most of the design parameters and they are dictated to us, and margins are razor thin, because most people who buy PC’s want to spend the least amount of money.
OEM Sales: we have companies lining up to bundle software on our computers and they are all willing to big money to be bundled, and even more money to be bundled and not be removable.
OEM: yay, we can be profitable!!!!!
Not one person really thinks the bundled software is of any value, other than the cash the bundling fee generates. If it was illegal for OEM’s to bundle software you’d see even more contraction in the PC OEM market.
In both the phone and PC space I do not understand the need to do this at all. There is commoditization of the market on the low end, but high end products that compete with iphones and macbooks are definitely not commodity and there is ample differentiation to be had on quality where mindshare can reap substantial margins on a smart investment of good design.
Plus, once it's gotten on the machine, why bother to patch it? You've achieved your goal and it was most likely written to spec by a vendor who has already been paid and moved on.
Somehow I found this the other day when searching for a new laptop. 2 models, identical, one with Windows 10 pre-installed and one FreeDOS (of all OSes!). 100€ cheaper. Perhaps not to everyone, but that's a worthwhile difference to me as a non-Windows user.
Not the only way. I used to use ddctool [0] to change brightness on monitors and it worked even with some cheap old Benq displays. Unfortunately Linux doesn't support DDC over DisplayPort Multi-Stream Transport, but you won't need to worry about that. All you need is some Windows alternative to ddctool. This was the first search hit: https://www.clickmonitorddc.bplaced.net/
Yeah it's not the only way. Windows actually provides and easy-to-use API to change screen brightness (since it's a standardised feature). I made a little physical knob that connects via USB to control mine since those capacitative buttons are a right pain.
General sanity aside, the whole exploit hinges on the fact that they used string parsing to check for the prefix "http". This wouldn't have been exploitable if they used a proper URL library.
The sane thing would have been to not use a HTTP server at all. This part is pure laziness. It is trivial to communicate with a Windows service locally through named pipes.
I found something similar to this a few years back[1], where the daemon would download and run anything if just “dell” was in the referring host. It seems they have improved the security somewhat by using white lists, but their coding practices seem a bit shoddy. Why have an SDK token at all if it’s public and globally shared?
I wouldn’t be surprised if a lot of the code was shared between the previous incarnation that I found an issue with and this pre-installed version.
Given this is an RCE, and affects so many machines, does anyone else think it's unreasonable that it took Dell 5 months to fix this?
Aside from anything else, it would have been terrible publicity for Dell if an exploit for this vulnerability was used in a large malware campaign - I just don't get why they would wait so long to fix it.
I've seen something similar when I open Dell's site. uMatrix shows an attempt to run a localhost script, which looks shady as hell.
I've never let that run. Much easier to just flip the laptop over, enter the six digit service code, and see if there are any new drivers/BIOS updates available for my laptop.
I've not yet seen anyone comment on the fact that Dell was informed in late Oct, confirmed by late Nov...and the public was advised in mid April. That's a lot of time for a known and confirmed vulnerability to be undisclosed, isn't it?
I'm not surprised in the least, they have a Bugcrowd program and I've submitted atleast one P2 that took months to fix, and best of all - they don't pay bounties! what a joke if you ask me.
I would have publicly disclosed after 90 days. A single line of code would have closed the URL problem and could have been deployed the next day. Six months is ridiculous.
I don't think there will ever come a time when 1) savvy users will stop suggesting/recommending clean Windows installs on new computers and 2) OEM bloatware will stop being crap.
I clean-installed Win10 recently. There was no driver installation I had to do - everything works great, and there are no unidentified devices in Device Manager. Say what you will about Windows 10, but that part is really cool. Save for video cards, the pack-in drivers are often better and less hassle. Plus they auto update.
I definitely advocate for Windows 10, it has a lot of features I like, but the auto-installing drivers has been a nuisance for me.
The biggest issue is when I have a computer with both integrated graphics, and a dedicated graphics card. I used to disable integrated graphics in the BIOS, but this causes a litany of problems now. Even with integrated disabled, Windows 10 will still try and install the drivers for it, and every time it does this, they seem to take precedence over my dedicated drivers. I ended up giving up and just enabling integrated and leaving the drivers there.
Just be careful not to let video drivers auto-update if you're fending off shovelware. Last time I said "check for updated drivers" on my nVidia graphics card I was force-fed the Geforce Experience utility.
Also (having spent the day reinstalling a new Dell 2-in-1 with a clean Windows install) a few of the devices were quite happy (if generic) in Device Manager but didn't work quite right until I manually installed the drivers off the Dell website. (The ones that spring to mind were the wifi, audio drivers and the webcam, but there might have been others.)
recently reinstalled w10 onto a laptop (dual booting on with legacy/uefi is somewhat of a headache) the hoops you have to jump through during installation is downright hell
cortana just yells at you until you can turn it off, you have to deselect every invasive feature and then get to some windows sign into your ms account bullshit
just.... why... since when did installing operating systems turn into avoiding landmines
linux and mac install pretty quick, but windows? fuck off
The author exploited this by adding a space to the URL so it no longer started with http:// rather (space)http:// but it looks like the call to Replace would be ineffective if the URL started with HTTP:// as well.
There were a bunch of ways to bypass the check. For example another way would be to use "http:\\" which wouldn't get detected either. The new version isn't vulnerable.
My question, too. I've got Linux on my Dell laptop, but I still had to read a lot of the article to figure out if my laptop had the RCE. I wish they'd put "Windows" in the article headline, but I guess "market forces" prevent them from doing that. I am a firm Free Market person, but this does inconvenience me personally.
Dell fucked up and should be held accountable. Being in America they will more than likely face legal action of some sort over this. I would hope so anyway.
I installed Arch on this Dell laptop without even seeing Windows. I personally would do as you suggest if I wanted Windows on it but then I own an MS "partner". Everyone else has to run the uninstallers and hope that they actually remove everything and not leave things behind.
It's been a while... but prior to my current laptop, I'd generally remove the factory HD and replace with an SSD before even booting once. Installing a fresh OS from the start.
What is the bounty on a report like this, and does Dell operate an official bug bounty program? How much do you think a report like this should be worth?
"Dell bug bounty program" and the like don't turn up obvious results to me.
Dell probably doesn't run one. If it did, I'd guess somewhere on the order of $20k? If the exploit was being bought by a company who traffics in zero-day exploits, some multiples larger of that.
Preinstalled crapware is one of the main reasons I still build my own desktops. Back when I used to buy Dells or HPs for the kids I always began the relationship with a reformat and reinstall. That was easy for me at the time because I had a complete MSDN sub with access to all versions of MS operating systems.
Cannot this vulnerability be exploited by creating a free wi-fi access point, opening a captive portal on user's device and attacking them from there? Another option is to wait until the victim requests something with HTTP (some ad networks still use it) and inject the payload into the traffic.
Nice writeup! Only feedback is it seems like you dont need to dna hijack anything. Seems like you can just register localhost-lollolanything.com and pull the attack off, no?
A software opens a port to allow a remote website trigger "download and execute" actions on a URL pointing to an .exe file.
The security check they have is that they check the domain is dell.com and that the string starts with "https://". If it starts with http:// it is replaced by the https version. In theory I could consider this risky but safe.
The mistake is that they do not force a URL that starts with something else to fail. The attacker could bypass the check by providing " http://fakedns.dell.com/haxorz.exe" (with a space at the beginning) and it passed the check.
This is not the first flaw of this style I am seeing. I don't think a teacher ever explicitly told it to me but I always assumed that relying on DNS for authentication was a dangerous thing to do and that URLs were doing too many things behind the scenes to be trustworthy without being extremely picky.
Maybe it all changed with https, but trusting the execution of an exe without at least checking the a crypto signature lights some red flags in my brain.
This doesn't sound quite as scary as the title. You still have to do one of these things that will all be nearly impossible in general. It's not like you can just set up a website and wait for victims to visit it.
- XSS on one of Dell's sites.
- Find a Subdomain Takeover vulnerability on a Dell site.
HP use a similar service (HP support assistant) that permits HP website to discover your machine and driver. It would be nice to discover if it have the same vulnerability...
Hmm. I have a Dell laptop, but replaced Windows 10 with Ubuntu. I doubt I'm vulnerable to that... but my security stance is probably not as strong as it could be.
Feel pretty validated on my decision that the OEM doesn't need a support backdoor on PCs. SupportAssist looked like a remote access tool combined with PC-Doctor.
I bought an Alienware that cost 4300$ last year, and that's after 900$ in savings.
The computer arrived in a box that had 2 handle sized holes in it and I could see the computer directly exposed from the outside without the box being open. It had shipment dust and debris INSIDE THE BOX. It's the saddest, cheapest, most sorry ass excuse for a shipment I've ever seen. I took pictures, I couldn't believe it.
Then I booted it up and was inundated with Dell pre-installed software. Wiped the thing clean, got a Win10 ISO directly from MS and called it a day. This will be the last Dell I ever buy. Lesson learned.
But, like so many other articles about security vulnerabilities, there seems to be a general attitude among most people (including many IT shops) that "it's an isolated incident", and "the experts will fix it...".
"It's an isolated incident", and "The experts will fix it...".
They said the same thing about Spectre, Meltdown, Rowhammer attacks, what have you.
"It's an isolated incident", and "The experts will fix it...".
Well, if you read HN long enough, you'd know that there's too much of this on too regular a basis to continue to espouse those views.
I'm going to go for broke here.
I'm going to put on my conspiracy "what if" tin-foil hat, and ask two questions.
The first is related to Virus-Checking and Security Software -- like Norton, McAfee, etc. how do we know that any of it doesn't contain remote code execution (aka major security) vulnerabilities?
You see, if I were the bad guys, that's where I'd put it.
Also, let's say you have Nation States. Could you see one of these guys "persuading, for the good of their country" one or more of their same-nationality corporations to put such vulnerabilities into their "Security" software?
In other words, maybe you have a Chinese producer of anti-virus/security software, and maybe it has little "surprises" for non-Chinese Citizens.
Maybe you have an American producer of anti-virus/security software, and it too has little "surprises" for non-American Citizens.
You see? Nation A thinks that it's permissible and OK for it to compromise Nation B's "Security" software. And Nation B thinks the same thing, but in reverse.
Even if Nation States are removed from the equation, you still have the Virus Checker/Security software company themselves. How do you know that random employees at that company haven't tainted that software in some way?
In other words, "Who guards the guardians?"
Which is my second question.
It's an ancient philosophical question.
"Who guards the guardians?"
We The People - do not seem to be doing such a good job these days...
All I know is that you might be seeing a whole lot more "isolated incidents" that "the experts will have to fix" in the future, unless We The People - step up to the plate...
Well I think it's very possible that backdoors are set up by governments like you say.
But I also think that even if they don't, it also seems very possible that vulnerabilities are quite common as mistakes. Just due to the realities of security.
In my opinion security is much more difficult than people realize.
For example in this case there seems to be a majority opinion something along the lines of "What an idiot! _I_ would never make that mistake!". It's much easier to say that in hindsight than it is to really execute secure code that no one can defeat. The response might be "well, no one broke into any of _my_ systems so far" and I would say .. how do you know they didn't? And also, maybe no one bothered to try to exploit you because you are not a high value target. Or they are just busy and will get to trying to penetrate you next week.
I think this is due to the complexity of software and IT rather than general negligence.
This is an exploit in the shitty software that OEMs put on their Windows images. Stuff like this is practically universal (minus Apple), and the fact that Dell hasn't (AFAIK) actively bundled very evil malware with their computers makes them far from the worst offender.
cryptonector|6 years ago
Here's an idea:
That would be fantastic.LeoPanthera|6 years ago
I remember one particular phone that had four user-configurable hardware buttons, but Verizon had locked them down so that they all opened the Verizon ringtone store.
The iPhone was a breath of fresh air if only for its software.
throw_away|6 years ago
swsieber|6 years ago
p_b_r|6 years ago
EDS - Remember that big huge company H.Ross Perot Ran? - We TRIED to buy PCs from hardware vendors without Windows. They refused due to how Bill locked them into contracts. If it was to run Windows, then Windows was shipped with every single hardware sale. On the bill of lading.
Government doesn't pay for stuff they don't use. Didn't want Windows if they were to run UNIX (Santa Cruz Operations XENIX System 5, to be precise). Wonder why some people at SCO went crazy and snorted their futures? Blame Bill.
PascLeRasc|6 years ago
[1] https://github.com/system76/firmware-update
carboy|6 years ago
OEM Sales: we have companies lining up to bundle software on our computers and they are all willing to big money to be bundled, and even more money to be bundled and not be removable.
OEM: yay, we can be profitable!!!!!
Not one person really thinks the bundled software is of any value, other than the cash the bundling fee generates. If it was illegal for OEM’s to bundle software you’d see even more contraction in the PC OEM market.
tssva|6 years ago
zanny|6 years ago
cheerlessbog|6 years ago
baby|6 years ago
mro_master|6 years ago
OEM: Profit
raehik|6 years ago
sonnyblarney|6 years ago
It's possible to have pre-loaded software without ruining everything.
pjmlp|6 years ago
jtdev|6 years ago
JoeAltmaier|6 years ago
unknown|6 years ago
[deleted]
anotheryou|6 years ago
- updates served via HTTP through the browser only
- as a binary (exe)
- from a domain other than dell.com (delldisplaymanager.com)
- signed by a 3rd party (En Tech Taiwan)
- and nagging about updates every reboot
(you can get an outdated version via dell.com, but it will want to update through said channel immediately)
(And I bet this one gets pinged for updates, having the full url to the exe in the update check: https://www.entechtaiwan.com/updates/public/ddm.inf )
Liskni_si|6 years ago
[0]: https://github.com/danielng01/ddctool
IshKebab|6 years ago
jniedrauer|6 years ago
DiseasedBadger|6 years ago
One could easily fuck usage of a library. Common sense is required.
Attempting to ban "http" as a method of ensuring "https", is obviously less ideal than ensuring "https"... by checking for "https".
bennofs|6 years ago
gmueckl|6 years ago
cced|6 years ago
unknown|6 years ago
[deleted]
driverdan|6 years ago
orf|6 years ago
I wouldn’t be surprised if a lot of the code was shared between the previous incarnation that I found an issue with and this pre-installed version.
1. https://tomforb.es/dell-system-detect-rce-vulnerability/
throwaway5752|6 years ago
first CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-3718 (from DSA)
second CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-3719 (also from DSA, this is the exploit described in this submission)
DoofusOfDeath|6 years ago
hazelnut|6 years ago
GordonS|6 years ago
Aside from anything else, it would have been terrible publicity for Dell if an exploit for this vulnerability was used in a large malware campaign - I just don't get why they would wait so long to fix it.
AdmiralAsshat|6 years ago
I've never let that run. Much easier to just flip the laptop over, enter the six digit service code, and see if there are any new drivers/BIOS updates available for my laptop.
ergothus|6 years ago
obisw4n|6 years ago
driverdan|6 years ago
mosdl|6 years ago
elagost|6 years ago
I clean-installed Win10 recently. There was no driver installation I had to do - everything works great, and there are no unidentified devices in Device Manager. Say what you will about Windows 10, but that part is really cool. Save for video cards, the pack-in drivers are often better and less hassle. Plus they auto update.
waddlesworth|6 years ago
The biggest issue is when I have a computer with both integrated graphics, and a dedicated graphics card. I used to disable integrated graphics in the BIOS, but this causes a litany of problems now. Even with integrated disabled, Windows 10 will still try and install the drivers for it, and every time it does this, they seem to take precedence over my dedicated drivers. I ended up giving up and just enabling integrated and leaving the drivers there.
taneq|6 years ago
Also (having spent the day reinstalling a new Dell 2-in-1 with a clean Windows install) a few of the devices were quite happy (if generic) in Device Manager but didn't work quite right until I manually installed the drivers off the Dell website. (The ones that spring to mind were the wifi, audio drivers and the webcam, but there might have been others.)
hi5eyes|6 years ago
cortana just yells at you until you can turn it off, you have to deselect every invasive feature and then get to some windows sign into your ms account bullshit
just.... why... since when did installing operating systems turn into avoiding landmines
linux and mac install pretty quick, but windows? fuck off
ericfrederich|6 years ago
taspeotis|6 years ago
BillDemirkapi|6 years ago
davidw|6 years ago
bediger4000|6 years ago
justryry|6 years ago
xeromal|6 years ago
sannee|6 years ago
gloflo|6 years ago
Seeing how close Dell (both the company and the man) are to the US government, surely this is a backdoor by the Americans?
kpU8efre7r|6 years ago
Dell fucked up and should be held accountable. Being in America they will more than likely face legal action of some sort over this. I would hope so anyway.
stevenjohns|6 years ago
What the US takes issue with is foreign governments having that kind of power.
imtringued|6 years ago
albertgoeswoof|6 years ago
NullPrefix|6 years ago
gerdesj|6 years ago
tracker1|6 years ago
tssva|6 years ago
_bxg1|6 years ago
Tehnix|6 years ago
albertgoeswoof|6 years ago
kibibu|6 years ago
(apart from the download whitelist)
bredren|6 years ago
"Dell bug bounty program" and the like don't turn up obvious results to me.
BillDemirkapi|6 years ago
cjbprime|6 years ago
markbnj|6 years ago
codedokode|6 years ago
BillDemirkapi|6 years ago
kristianp|6 years ago
nanahgafvsva|6 years ago
c-|6 years ago
Iv|6 years ago
A software opens a port to allow a remote website trigger "download and execute" actions on a URL pointing to an .exe file.
The security check they have is that they check the domain is dell.com and that the string starts with "https://". If it starts with http:// it is replaced by the https version. In theory I could consider this risky but safe.
The mistake is that they do not force a URL that starts with something else to fail. The attacker could bypass the check by providing " http://fakedns.dell.com/haxorz.exe" (with a space at the beginning) and it passed the check.
This is not the first flaw of this style I am seeing. I don't think a teacher ever explicitly told it to me but I always assumed that relying on DNS for authentication was a dangerous thing to do and that URLs were doing too many things behind the scenes to be trustworthy without being extremely picky.
Maybe it all changed with https, but trusting the execution of an exe without at least checking the a crypto signature lights some red flags in my brain.
Hamuko|6 years ago
unknown|6 years ago
[deleted]
pojntfx|6 years ago
unknown|6 years ago
[deleted]
lopmotr|6 years ago
- XSS on one of Dell's sites.
- Find a Subdomain Takeover vulnerability on a Dell site.
- Make the request from a local program.
- DNS Hijack the victim.
sannee|6 years ago
This is the trivial one. You can just set up a free Wi-Fi access point next to a restaurant that people from company-you-want-to-hack like to visit.
Jacksoft|6 years ago
olefoo|6 years ago
ocdtrekkie|6 years ago
Tiki|6 years ago
The computer arrived in a box that had 2 handle sized holes in it and I could see the computer directly exposed from the outside without the box being open. It had shipment dust and debris INSIDE THE BOX. It's the saddest, cheapest, most sorry ass excuse for a shipment I've ever seen. I took pictures, I couldn't believe it.
Then I booted it up and was inundated with Dell pre-installed software. Wiped the thing clean, got a Win10 ISO directly from MS and called it a day. This will be the last Dell I ever buy. Lesson learned.
bayareanative|6 years ago
Has anyone disabled IME by putting it into HAP mode or another mode?
amaccuish|6 years ago
chunsj|6 years ago
Jonnax|6 years ago
Does it work in a similar way?
daveheq|6 years ago
nldoty|6 years ago
taspeotis|6 years ago
https://www.laptopmag.com/articles/microsoft-signature-editi...
ultrarunner|6 years ago
peter_d_sherman|6 years ago
But, like so many other articles about security vulnerabilities, there seems to be a general attitude among most people (including many IT shops) that "it's an isolated incident", and "the experts will fix it...".
"It's an isolated incident", and "The experts will fix it...".
They said the same thing about Spectre, Meltdown, Rowhammer attacks, what have you.
"It's an isolated incident", and "The experts will fix it...".
Well, if you read HN long enough, you'd know that there's too much of this on too regular a basis to continue to espouse those views.
I'm going to go for broke here.
I'm going to put on my conspiracy "what if" tin-foil hat, and ask two questions.
The first is related to Virus-Checking and Security Software -- like Norton, McAfee, etc. how do we know that any of it doesn't contain remote code execution (aka major security) vulnerabilities?
You see, if I were the bad guys, that's where I'd put it.
Also, let's say you have Nation States. Could you see one of these guys "persuading, for the good of their country" one or more of their same-nationality corporations to put such vulnerabilities into their "Security" software?
In other words, maybe you have a Chinese producer of anti-virus/security software, and maybe it has little "surprises" for non-Chinese Citizens.
Maybe you have an American producer of anti-virus/security software, and it too has little "surprises" for non-American Citizens.
You see? Nation A thinks that it's permissible and OK for it to compromise Nation B's "Security" software. And Nation B thinks the same thing, but in reverse.
Even if Nation States are removed from the equation, you still have the Virus Checker/Security software company themselves. How do you know that random employees at that company haven't tainted that software in some way?
In other words, "Who guards the guardians?"
Which is my second question.
It's an ancient philosophical question.
"Who guards the guardians?"
We The People - do not seem to be doing such a good job these days...
All I know is that you might be seeing a whole lot more "isolated incidents" that "the experts will have to fix" in the future, unless We The People - step up to the plate...
ilaksh|6 years ago
But I also think that even if they don't, it also seems very possible that vulnerabilities are quite common as mistakes. Just due to the realities of security.
In my opinion security is much more difficult than people realize.
For example in this case there seems to be a majority opinion something along the lines of "What an idiot! _I_ would never make that mistake!". It's much easier to say that in hindsight than it is to really execute secure code that no one can defeat. The response might be "well, no one broke into any of _my_ systems so far" and I would say .. how do you know they didn't? And also, maybe no one bothered to try to exploit you because you are not a high value target. Or they are just busy and will get to trying to penetrate you next week.
I think this is due to the complexity of software and IT rather than general negligence.
unknown|6 years ago
[deleted]
option_greek|6 years ago
dontbenebby|6 years ago
thrower123|6 years ago
itslennysfault|6 years ago
m00dy|6 years ago
the_pwner224|6 years ago
sara1232364|6 years ago
[deleted]
cryptokernel|6 years ago
[deleted]
pg_is_a_butt|6 years ago
[deleted]
Erin_Smith|6 years ago
[deleted]
decotz|6 years ago
[deleted]
joshlegs|6 years ago