2015年11月28日星期六

SuperFish 2.1: Dell System Detect’s "trusted site" makes users more vulnerable to exploit-based attacks

The recent SuperFish 2.0 incident has told us OEM machines are really bad on security. Today I finally got time to play into the issue and around. I happened to find that there is actually another problem, this time it is not about pre-installed root certificates, but a configuration problem which makes the user more vulnerable to targeted or drive-by attacks.

If you are using a Dell laptop, you probably know the "Dell System Detect" tool, it is a tool allowing you to install and update all the drivers as well as other Dell software automatically.

I've found that after we install the Dell System Detect, a specific domain name, "*.dell.com", will be added into the Internet Explorer's "Trusted sites". See following figure captured on my pretty old Dell laptop. The installed version is believed to be 6.11.0.2.


So, this is the problem I’ve found. But what does it mean? Why it is bad?

I’ve spend couple hours looking into the security problems such a “trusted site” may bring. Here is what I’ve found so far.

1. All webpages hosted at “*.dell.com” will be opened out of the Sandbox on IE (known as Protected Mode or Enhanced Protected Mode).

It means that a simple IE-based (say Flash exploit) hosted anywhere at “*.dell.com” will gain the same privilege of the current user immediately, because there is no IE Sandbox when you browsing these urls. Following figure shows the point.



According to my test, the same "no Sandbox" issue also exists on the "Metro Style" IE.

2. All the Office documents hosted at “*.dell.com” will be opened by Office out of the Office Sandbox (the Sandbox for Office is known as Protected View).

Usually, when a user downloads and opens a Word/PowerPoint/Excel document from internet, the document will be opened in Office with the Protected View mode. This is a very effective and important feature developed by Microsoft to help protect Office users. For example, we've known that attacking groups such as the Hacking Team use Flash-embedded Word documents to attack people, however, if the attacker hosts the malicious Word document on Internet, normal users won't be actually attacked because when they open the document the document will be opened within the Office Protected View Sandbox. But, if the attacker hosts the document somewhere on the “*.dell.com” domain, the document will be opened without the sandbox, and the Dell laptop user will be pwned right away.

Note that this not only affects users who use IE to download documents, but also for users using other browsers, such as Google Chrome. I've tested and found that when users use Chrome to download a “Dell-hosted” Word document, the document will also be opened without the Sandbox on Microsoft Word.

You may test it right away by downloading and opening this document released by Dell for “SuperFish 2.0”.
https://dellupdater.dell.com/Downloads/APP009/eDellRootCertRemovalInstructions.docx

Here is how it looks like when you are from a non-affected machine, all the Office documents we downloaded from Internet should act like this.


And here is on an affected machine, note there is no sign of “Protected View”, means there is no Sandbox.




Exploitation
So, the problem is clear now. Because of the "Dell System Detect" tool adds the "*.dell.com" into the Trusted sites, all the webpages hosted at “*.dell.com” will be opened out of the Sandbox on IE (both Desktop IE and Metro IE), and all the Office documents hosted at “*.dell.com” will be opened out of the Sandbox on Microsoft Office.

Readers may argue, hey, this is dell.com so it must be safe, right? well, it might be true if we agree all of the dell.com contents can't be hacked, but more obviously, the attacker can just use some tricks to host his/her malicious webpages or documents on somewhere on the *.dell.com and send the link to the victim. I’m not a XSS guy but I’ve heard of some tricks of “stored XSS” might help here. However, there’s an easier way - here is one of the tricks I found in couple minutes.

The Dell forum site (http://en.community.dell.com) is a sub-domain of dell.com, the forum allows registered users to publish their posts asking questions or opening discussions, it also allows users to attach files. So I made a test, I created one test account, made a post with a Word document attached, and see what happened then? My document is now being hosted on the *.dell.com domain.

Here is the link of my test document.
http://en.community.dell.com/cfs-file/__key/telligent-evolution-components-attachments/00-4674-01-00-20-84-98-02/dell.docx

In short, the attacker may use some trick to host their malicious exploit - such as a zero-day Flash exploit or a Word exploit - on the *.dell.com domain. Then, the attacker may send the link to the victims who have the Dell System Detect installed, in such a way the attacker "bypasses" the IE/Office Sandbox because there is no Sandbox at all.

Solution
First, I hope Dell to fix this security problem as soon as possible.

Users who have concerns about this issue are recommended to simply remove the "*.dell.com" in the IE's "trusted sites" window. Please note that according to my test, removing the "Dell System Detect" won't remove the trusted site setting, but I personally suggest you to remove the tool anyway in case it adds the trusted site back in future.

Conclusion
When we look back to the whole issue, all is because of a trusted site is added into IE's trusted zone. However, such a "trusted site" will surely lower user's security - specifically it makes users more vulnerable to exploits hosted at the "trusted site". For vendors who have a hobby to add "trusted site" - not just Dell, if you are not able to make %100 sure that all the contents hosted on your "trusted site" are harmless, please don't do it.

* Declaration: this post as well as other posts on this blog site reflect the author's personal opinions only.

17 条评论:

  1. Nice! I really enjoyed reading your post. Thanks for sharing and keep up the good work.

    Dell Notebook repairs & HP Laptop repairs

    回复删除
    回复
    1. Haifei'S Random Thoughts: Superfish 2.1: Dell System Detect’S "Trusted Site" Makes Users More Vulnerable To Exploit-Based Attacks >>>>> Download Now

      >>>>> Download Full

      Haifei'S Random Thoughts: Superfish 2.1: Dell System Detect’S "Trusted Site" Makes Users More Vulnerable To Exploit-Based Attacks >>>>> Download LINK

      >>>>> Download Now

      Haifei'S Random Thoughts: Superfish 2.1: Dell System Detect’S "Trusted Site" Makes Users More Vulnerable To Exploit-Based Attacks >>>>> Download Full

      >>>>> Download LINK cD

      删除
  2. Nice! I really enjoyed reading your post. Thanks for sharing and keep up the good work.

    Dell Notebook repairs & HP Laptop repairs

    回复删除
  3. It is not a good idea to run any Dell malware. You can get the drivers and everything else you need directly from the OEMs Dell is using. Our laptop just kept crashing until we ditched their DUPs and re-installed Windows 7.

    回复删除
  4. It is not a good idea to run any Dell malware. You can get the drivers and everything else you need directly from the OEMs Dell is using. Our laptop just kept crashing until we ditched their DUPs and re-installed Windows 7.

    回复删除
  5. This post will be very useful to us.I like your blog and helpful to me.nice thoughts for your great work.
    Apple IPAD Repairs &Apple Laptop repairs

    回复删除
  6. I wanted to thank you for this great read.Thanks for sharing

    Hp Notebook repairs & Epson Projector repairs

    回复删除
  7. I agree with you. Thank you for sharing the update. It is interesting to have it discussed widely, so that we can gain more objective opinions.

    Benq Projector repairs & Hp Notebook repairs

    回复删除
  8. They are like only selling their bodies on the streets without any intimacy. However, on the other hand we have professional and educated top notched Karachi Escorts who also understand that men do not only want body but the real pleasure with intimacy. In case you are going for party hosted by elite people then finding a partner overnight is a very difficult task. Here the real help comes in the form of Escort in Karachi as you can hire them. The main responsibly of these girls are to provide you the best companionship in friendly ambiance.

    回复删除
  9. Privacy is an important factor for wallet that have the technological platform. Privacy factor help in securing your data and restrict the entry of unknown people who want to sneak in to your Gemini account. If you’re unable to manage privacy in Gemini, you can directly ping on Gemini Support Number 1-800-861-8259 and avail the best-possible solutions from the skilled professionals. They are active and always there to assist Gemini users, whenever they encounter any difficulty. Gemini Support Number

    回复删除
  10. Do you know how to write a narrative essay? Read about this elements of a narrative story to get it done

    回复删除
  11. How wonderful post here you have done guy . I liked such good post .
    http://removeimagebackgroundservice.blogspot.com/
    http://removeimagebackgroundservice.blogspot.com/2016/03/remove-background-of-image-in-photoshop.html
    http://removeimagebackgroundservice.blogspot.com/2016/03/remove-white-background-from-image.html
    http://removeimagebackgroundservice.blogspot.com/2016/03/help-for-remove-white-backgrounds.html
    http://removeimagebackgroundservice.blogspot.com/2016/03/quick-remove-image-backgrounds-by.html
    http://removeimagebackgroundservice.blogspot.com/2016/03/easy-ways-to-deleting-backgrounds.html
    http://removeimagebackgroundservice.blogspot.com/2016/03/how-to-remove-background-from-image-by.html
    http://removeimagebackgroundservice.blogspot.com/2016/03/quick-background-remove-by-photoshop.html
    http://removeimagebackgroundservice.blogspot.com/2016/03/indesign-how-to-remove-white-background.html
    http://removeimagebackgroundservice.blogspot.com/2016/03/image-background-remove-by-lasso-tools.html

    回复删除
  12. Information is provided by you is very informative for me. Now I want to tell you about packers and movers in Gurgaon which is very punctual for their service and provide service in many states of India.

    回复删除
  13. Haifei'S Random Thoughts: Superfish 2.1: Dell System Detect’S "Trusted Site" Makes Users More Vulnerable To Exploit-Based Attacks >>>>> Download Now

    >>>>> Download Full

    Haifei'S Random Thoughts: Superfish 2.1: Dell System Detect’S "Trusted Site" Makes Users More Vulnerable To Exploit-Based Attacks >>>>> Download LINK

    >>>>> Download Now

    Haifei'S Random Thoughts: Superfish 2.1: Dell System Detect’S "Trusted Site" Makes Users More Vulnerable To Exploit-Based Attacks >>>>> Download Full

    >>>>> Download LINK nF

    回复删除
  14. Good afternoon everyone. If you urgently need advertising for your project, go to this website and read this article. You will be able to understand the benefits of buying advertising from an outsourcing company. Online marketing outsourcing is the solution to your problems, specialists will be able to do the right, high-quality and fast advertising for your project. Try it and the result will not make you wait long!

    回复删除