Saturday, November 28, 2015

SuperFish 2.1: Dell System Detect’s "trusted site" makes users more vulnerable to exploit-based attacks

The recent SuperFish 2.0 incident has told us OEM machines are really bad on security. Today I finally got time to play into the issue and around. I happened to find that there is actually another problem, this time it is not about pre-installed root certificates, but a configuration problem which makes the user more vulnerable to targeted or drive-by attacks.

If you are using a Dell laptop, you probably know the "Dell System Detect" tool, it is a tool allowing you to install and update all the drivers as well as other Dell software automatically.

I've found that after we install the Dell System Detect, a specific domain name, "*.dell.com", will be added into the Internet Explorer's "Trusted sites". See following figure captured on my pretty old Dell laptop. The installed version is believed to be 6.11.0.2.


So, this is the problem I’ve found. But what does it mean? Why it is bad?

I’ve spend couple hours looking into the security problems such a “trusted site” may bring. Here is what I’ve found so far.

1. All webpages hosted at “*.dell.com” will be opened out of the Sandbox on IE (known as Protected Mode or Enhanced Protected Mode).

It means that a simple IE-based (say Flash exploit) hosted anywhere at “*.dell.com” will gain the same privilege of the current user immediately, because there is no IE Sandbox when you browsing these urls. Following figure shows the point.



According to my test, the same "no Sandbox" issue also exists on the "Metro Style" IE.

2. All the Office documents hosted at “*.dell.com” will be opened by Office out of the Office Sandbox (the Sandbox for Office is known as Protected View).

Usually, when a user downloads and opens a Word/PowerPoint/Excel document from internet, the document will be opened in Office with the Protected View mode. This is a very effective and important feature developed by Microsoft to help protect Office users. For example, we've known that attacking groups such as the Hacking Team use Flash-embedded Word documents to attack people, however, if the attacker hosts the malicious Word document on Internet, normal users won't be actually attacked because when they open the document the document will be opened within the Office Protected View Sandbox. But, if the attacker hosts the document somewhere on the “*.dell.com” domain, the document will be opened without the sandbox, and the Dell laptop user will be pwned right away.

Note that this not only affects users who use IE to download documents, but also for users using other browsers, such as Google Chrome. I've tested and found that when users use Chrome to download a “Dell-hosted” Word document, the document will also be opened without the Sandbox on Microsoft Word.

You may test it right away by downloading and opening this document released by Dell for “SuperFish 2.0”.
https://dellupdater.dell.com/Downloads/APP009/eDellRootCertRemovalInstructions.docx

Here is how it looks like when you are from a non-affected machine, all the Office documents we downloaded from Internet should act like this.


And here is on an affected machine, note there is no sign of “Protected View”, means there is no Sandbox.




Exploitation
So, the problem is clear now. Because of the "Dell System Detect" tool adds the "*.dell.com" into the Trusted sites, all the webpages hosted at “*.dell.com” will be opened out of the Sandbox on IE (both Desktop IE and Metro IE), and all the Office documents hosted at “*.dell.com” will be opened out of the Sandbox on Microsoft Office.

Readers may argue, hey, this is dell.com so it must be safe, right? well, it might be true if we agree all of the dell.com contents can't be hacked, but more obviously, the attacker can just use some tricks to host his/her malicious webpages or documents on somewhere on the *.dell.com and send the link to the victim. I’m not a XSS guy but I’ve heard of some tricks of “stored XSS” might help here. However, there’s an easier way - here is one of the tricks I found in couple minutes.

The Dell forum site (http://en.community.dell.com) is a sub-domain of dell.com, the forum allows registered users to publish their posts asking questions or opening discussions, it also allows users to attach files. So I made a test, I created one test account, made a post with a Word document attached, and see what happened then? My document is now being hosted on the *.dell.com domain.

Here is the link of my test document.
http://en.community.dell.com/cfs-file/__key/telligent-evolution-components-attachments/00-4674-01-00-20-84-98-02/dell.docx

In short, the attacker may use some trick to host their malicious exploit - such as a zero-day Flash exploit or a Word exploit - on the *.dell.com domain. Then, the attacker may send the link to the victims who have the Dell System Detect installed, in such a way the attacker "bypasses" the IE/Office Sandbox because there is no Sandbox at all.

Solution
First, I hope Dell to fix this security problem as soon as possible.

Users who have concerns about this issue are recommended to simply remove the "*.dell.com" in the IE's "trusted sites" window. Please note that according to my test, removing the "Dell System Detect" won't remove the trusted site setting, but I personally suggest you to remove the tool anyway in case it adds the trusted site back in future.

Conclusion
When we look back to the whole issue, all is because of a trusted site is added into IE's trusted zone. However, such a "trusted site" will surely lower user's security - specifically it makes users more vulnerable to exploits hosted at the "trusted site". For vendors who have a hobby to add "trusted site" - not just Dell, if you are not able to make %100 sure that all the contents hosted on your "trusted site" are harmless, please don't do it.

* Declaration: this post as well as other posts on this blog site reflect the author's personal opinions only.