Researcher finds backdoor opened by Dell’s helper app

A security researcher has discovered a serious bug in Dell System Detect, the software Dell users are urged to use to download the appropriate drivers for their machines. The flaw can be exploited by attackers to make the computer download and execute potentially malicious files.

The software, which can be downloaded from the Dell Support page, can thus be effectively used to open a backdoor in the target’s computer.

“While investigating this rather innocuous looking program I discovered that it accepts commands by listening for HTTP requests on localhost:8884 and that the security restrictions Dell put in place are easily bypassed, meaning an attacker could trigger the program to download and install any arbitrary executable from a remote location with no user interaction at all,” Tom Forbes claims.

He privately notified Dell of the problem in November 2014, and the company has apparently fixed the issue in January 2015 by introducing additional validation and obfuscation.

Forbes says that the PoC exploit he used the first time no longer works, but is a bit skeptical of the quality of the fix.

“While I cannot be sure, I think they simply changed the conditional from ‘if dell in referrer’ to ‘if dell in referrer domain name’, which may be slightly harder to exploit but just as severe,” he noted, referring to the procedure the program uses to verify that requests are sent from a Dell domain.

When asked to comment on the matter, Dell launched into the usual spiel of “We take very seriously any issues that may impact the integrity of our products or customer security and privacy.”

“Dell does not work with any government to compromise our products to make them vulnerable for exploit, including through “software implants’ or so-called “backdoors’,” they added.

It’s possible that this backdoor was unintentional and, in that case, Forbes made the good decision to report the issue privately, and the company has to be commended for fixing it (relatively) fast.

In any case, if you use the aforementioned software, you would do well to update it to the latest version.