Remote Code Execution on Most Dell Computers(d4stiny.github.io) |
Remote Code Execution on Most Dell Computers(d4stiny.github.io) |
- XSS on one of Dell's sites.
- Find a Subdomain Takeover vulnerability on a Dell site.
- Make the request from a local program.
- DNS Hijack the victim.
This is the trivial one. You can just set up a free Wi-Fi access point next to a restaurant that people from company-you-want-to-hack like to visit.
The computer arrived in a box that had 2 handle sized holes in it and I could see the computer directly exposed from the outside without the box being open. It had shipment dust and debris INSIDE THE BOX. It's the saddest, cheapest, most sorry ass excuse for a shipment I've ever seen. I took pictures, I couldn't believe it.
Then I booted it up and was inundated with Dell pre-installed software. Wiped the thing clean, got a Win10 ISO directly from MS and called it a day. This will be the last Dell I ever buy. Lesson learned.
Has anyone disabled IME by putting it into HAP mode or another mode?
Does it work in a similar way?
https://www.laptopmag.com/articles/microsoft-signature-editi...
But, like so many other articles about security vulnerabilities, there seems to be a general attitude among most people (including many IT shops) that "it's an isolated incident", and "the experts will fix it...".
"It's an isolated incident", and "The experts will fix it...".
They said the same thing about Spectre, Meltdown, Rowhammer attacks, what have you.
"It's an isolated incident", and "The experts will fix it...".
Well, if you read HN long enough, you'd know that there's too much of this on too regular a basis to continue to espouse those views.
I'm going to go for broke here.
I'm going to put on my conspiracy "what if" tin-foil hat, and ask two questions.
The first is related to Virus-Checking and Security Software -- like Norton, McAfee, etc. how do we know that any of it doesn't contain remote code execution (aka major security) vulnerabilities?
You see, if I were the bad guys, that's where I'd put it.
Also, let's say you have Nation States. Could you see one of these guys "persuading, for the good of their country" one or more of their same-nationality corporations to put such vulnerabilities into their "Security" software?
In other words, maybe you have a Chinese producer of anti-virus/security software, and maybe it has little "surprises" for non-Chinese Citizens.
Maybe you have an American producer of anti-virus/security software, and it too has little "surprises" for non-American Citizens.
You see? Nation A thinks that it's permissible and OK for it to compromise Nation B's "Security" software. And Nation B thinks the same thing, but in reverse.
Even if Nation States are removed from the equation, you still have the Virus Checker/Security software company themselves. How do you know that random employees at that company haven't tainted that software in some way?
In other words, "Who guards the guardians?"
Which is my second question.
It's an ancient philosophical question.
"Who guards the guardians?"
We The People - do not seem to be doing such a good job these days...
All I know is that you might be seeing a whole lot more "isolated incidents" that "the experts will have to fix" in the future, unless We The People - step up to the plate...
But I also think that even if they don't, it also seems very possible that vulnerabilities are quite common as mistakes. Just due to the realities of security.
In my opinion security is much more difficult than people realize.
For example in this case there seems to be a majority opinion something along the lines of "What an idiot! _I_ would never make that mistake!". It's much easier to say that in hindsight than it is to really execute secure code that no one can defeat. The response might be "well, no one broke into any of _my_ systems so far" and I would say .. how do you know they didn't? And also, maybe no one bothered to try to exploit you because you are not a high value target. Or they are just busy and will get to trying to penetrate you next week.
I think this is due to the complexity of software and IT rather than general negligence.
The protections for pre-installed apps help to make sure nothing else tampers with them, e.g. injecting some malware, but I'm sure you can remove those protections and reclaim the 5 MB if you really wanted to."
OEM: Let's differentiate our otherwise
commodity hw product!
OEM: I know, let's add value with bundled
software the customer can't uninstall!
Then the bundled software turns out to (inevitably) be useless vulnerable garbage. Inevitably because a) the customer doesn't need it, b) it's engineered with all the effort that normally goes into adware for captive audiences (i.e., _minimal_), which means it will be vulnerable.Here's an idea:
OEM: Let's differentiate our otherwise
commodity hw product!
OEM: Let's add NO bundled software.
That would be fantastic.I remember one particular phone that had four user-configurable hardware buttons, but Verizon had locked them down so that they all opened the Verizon ringtone store.
The iPhone was a breath of fresh air if only for its software.
"There are apps from Flipboard and Spotify as well as a unremovable version of Facebook. McAfee Anti-virus is baked into the operating system as "security," and the Samsung Gallery app wants to share my location with Foursquare. The storage management settings, which is just a simple file-cleanup app, is "Powered by Qihoo 360," a Chinese security company. A caller-ID feature built into the phone app is provided by a company called "Hiya."
Once you run through setup and connect to Wi-Fi, the phone spawns an undismissable "Secure Wi-Fi" notification, which, it turns out, is an ad for McAfee VPN subscription service. I tried blocking the notification—it's not blockable—but it turns out you can open the advertisement, carefully consider subscribing to McAfee VPN, say "No," and then it will go away. Cool."
https://arstechnica.com/gadgets/2019/04/galaxy-s10-review-fo...
I had a similar issue with a phone I bought around 2005. I wanted an unlocked device, and by EU law, a carrier can't refuse to sell you that. So just pop into any store, right?
The device was unlocked but carrier branded, so the useless menu locked in place front-and-center was doubly useless because none of the carrier services worked.
I made sure to never get any phone through any carrier after that, and now that Android phones are having the same problem I'm so glad I did. Mine have always been crap free.
Funny, apple did this to iPod touch
Please. I use a 4k TV as my computer monitor. It's works fairly well for that because I researched it and found a good fit, but I use a remote to start it every time, and it takes 15-20 seconds before it's ready to receive input. That's a long time to be sitting in front of your computer waiting, especially when it happens 3-10 times a day.
OEM: Let's make more money.
OEM: We can sell out our users while claiming we aren't.EDS - Remember that big huge company H.Ross Perot Ran? - We TRIED to buy PCs from hardware vendors without Windows. They refused due to how Bill locked them into contracts. If it was to run Windows, then Windows was shipped with every single hardware sale. On the bill of lading.
Government doesn't pay for stuff they don't use. Didn't want Windows if they were to run UNIX (Santa Cruz Operations XENIX System 5, to be precise). Wonder why some people at SCO went crazy and snorted their futures? Blame Bill.
OEM Sales: we have companies lining up to bundle software on our computers and they are all willing to big money to be bundled, and even more money to be bundled and not be removable.
OEM: yay, we can be profitable!!!!!
Not one person really thinks the bundled software is of any value, other than the cash the bundling fee generates. If it was illegal for OEM’s to bundle software you’d see even more contraction in the PC OEM market.
I take issue with that. Apx. one year ago it was using excessive CPU on my Dell. I tried to uninstall, but the uninstaller crashed.
I turned to dell.com and then google. Turned out that throusands of people had the same problem, but no solution from Dell.
This is a sorry PoS application. In my experience, OEMs like Dell, HP create horrible software and drivers.
https://www.google.com/search?q=can%27t+uninstall+dell+suppo...
Is a user expecting to be able to trust their manufacturer an unreasonable?
The day that hardware vendors get over the idea that they need to "add value" to software that they resell will be a very good day for everyone.
OEM: Profit
It's possible to have pre-loaded software without ruining everything.
Besides, an end user will never have enough permission to download and install a driver - because if they did they’d be in a position to defeat the DLP, VPN posturing, shitty antivirus and disk encryption tools that have to be installed to satisfy the four nearly identical checklists produced by at least as many independent IT security organizations who most likely hired the same auditor multiple times.
Small to mid sized businesses would probably be all over this though.
- updates served via HTTP through the browser only
- as a binary (exe)
- from a domain other than dell.com (delldisplaymanager.com)
- signed by a 3rd party (En Tech Taiwan)
- and nagging about updates every reboot
(you can get an outdated version via dell.com, but it will want to update through said channel immediately)
(And I bet this one gets pinged for updates, having the full url to the exe in the update check: https://www.entechtaiwan.com/updates/public/ddm.inf )
I have an auto hotkey script triggering the DDM, but it's not working well.
One could easily fuck usage of a library. Common sense is required.
Attempting to ban "http" as a method of ensuring "https", is obviously less ideal than ensuring "https"... by checking for "https".
It also made it clear that trying to use a URL to restrict stuff is a bad idea. Like the dell updater could only load signed requests which means an attacker would have to get dell's private key for signing.
I wouldn't characterize it as "pure laziness" - more a questionable feature
I wouldn’t be surprised if a lot of the code was shared between the previous incarnation that I found an issue with and this pre-installed version.
first CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-3718 (from DSA)
second CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-3719 (also from DSA, this is the exploit described in this submission)
Aside from anything else, it would have been terrible publicity for Dell if an exploit for this vulnerability was used in a large malware campaign - I just don't get why they would wait so long to fix it.
I've never let that run. Much easier to just flip the laptop over, enter the six digit service code, and see if there are any new drivers/BIOS updates available for my laptop.
I clean-installed Win10 recently. There was no driver installation I had to do - everything works great, and there are no unidentified devices in Device Manager. Say what you will about Windows 10, but that part is really cool. Save for video cards, the pack-in drivers are often better and less hassle. Plus they auto update.
The biggest issue is when I have a computer with both integrated graphics, and a dedicated graphics card. I used to disable integrated graphics in the BIOS, but this causes a litany of problems now. Even with integrated disabled, Windows 10 will still try and install the drivers for it, and every time it does this, they seem to take precedence over my dedicated drivers. I ended up giving up and just enabling integrated and leaving the drivers there.
Also (having spent the day reinstalling a new Dell 2-in-1 with a clean Windows install) a few of the devices were quite happy (if generic) in Device Manager but didn't work quite right until I manually installed the drivers off the Dell website. (The ones that spring to mind were the wifi, audio drivers and the webcam, but there might have been others.)
cortana just yells at you until you can turn it off, you have to deselect every invasive feature and then get to some windows sign into your ms account bullshit
just.... why... since when did installing operating systems turn into avoiding landmines
linux and mac install pretty quick, but windows? fuck off
bool flag2 = file.Location.ToLower().StartsWith("http://");
if (flag2)
{
file.Location = file.Location.Replace("http://", "https://");
}
I trust the new version isn’t vulnerable to this...Seeing how close Dell (both the company and the man) are to the US government, surely this is a backdoor by the Americans?
Dell fucked up and should be held accountable. Being in America they will more than likely face legal action of some sort over this. I would hope so anyway.
Which America are talking about here? The one that let Equifax off scott free for leaking the entire countries personal financial info with security that resembles geocities?
Dell won't get punished for shit.
What the US takes issue with is foreign governments having that kind of power.
(apart from the download whitelist)
"Dell bug bounty program" and the like don't turn up obvious results to me.
A software opens a port to allow a remote website trigger "download and execute" actions on a URL pointing to an .exe file.
The security check they have is that they check the domain is dell.com and that the string starts with "https://". If it starts with http:// it is replaced by the https version. In theory I could consider this risky but safe.
The mistake is that they do not force a URL that starts with something else to fail. The attacker could bypass the check by providing " http://fakedns.dell.com/haxorz.exe" (with a space at the beginning) and it passed the check.
This is not the first flaw of this style I am seeing. I don't think a teacher ever explicitly told it to me but I always assumed that relying on DNS for authentication was a dangerous thing to do and that URLs were doing too many things behind the scenes to be trustworthy without being extremely picky.
Maybe it all changed with https, but trusting the execution of an exe without at least checking the a crypto signature lights some red flags in my brain.
Abusing Windows' ability to obtain HW-drivers though UEFI (something which can be used for good) to bundle shit-ware is just absolutely rotten.
Holy cow. Would you have a link on this?
(sarcasm)
[i thought it uninstalled itself after a few months]
The protections for pre-installed apps help to make sure nothing else tampers with them, e.g. injecting some malware, but I'm sure you can remove those protections and reclaim the 5 MB if you really wanted to.
https://developer.apple.com/library/archive/documentation/Se...
Do try to stay on target when communicating with people. It is impolite to suddenly change a topic of discussion to yourself.
It's not like reputation has no value. Reputation is an intangible. You'll be able to put a fairly accurate dollar value on reputation after ruining it, but you should be able to estimate it before trying to ruin it.
Problem is, intangibles have an out-of-sight, out-of-mind effect going on: because you don't see them when putting a dollar value on tangible things, you tend to ignore the intangibles.
Companies often find this out the hard way and end up taking tremendous PR damage. Remember United's PR damage when they had to have cops drag a passenger off the plane because they wanted to "bump" him? Yeah. That sort of thing. Or perhaps the 737-MAX saga. Or any number of such events.
But - I feel this is causing them harm in the long run.
I feel that there is a mostly win-win were they to step in and just try to move against the bad shenanigans. I feel that even big companies like Dell, Sony etc. shoot themselves in the foot with this stupidity.
I'm mac 10x years now, strongly looking for change, but I'm wary of that kind of Windows stupidity.
https://www.law.com/dailyreportonline/2019/01/28/judge-oks-e...
Disabling system integrity protection to uninstall them should not be required and I'm guessing wouldn't be a long term solution anyways because likely they would reappear when upgrading macOS versions. There is also the issue of why does chess need greater protection from being tampered with than say Apple Pages.
Try an analog TV and you'll see real speed!
Replacing:
bool flag2 = file.Location.ToLower().StartsWith("http://");
with: bool flag2 = Regex.IsMatch(file.Location.ToLower(), "^http:");
doesn't help. You have to make sure to actually replace http, not just check the start of the line.My iPhone bought direct from Apple didn't have anything like that. Nor did my friends who buy on contract with carriers (UK).
What carrier did you buy from and did you restore from a backup/iCloud?
Backup/iCloud access are forbiden as per company IT securiy data management rules.
Apple keeps track of what you type for autocorrect and word prediction. "Apple installs a keylogger on every iPhone."
It is "an autonomous subsystem ((...)) incorporated in virtually all of Intel's processor chipsets since 2008. ((One)) can use it to turn the computer on and off, and they can login remotely into the computer regardless of whether or not an operating system is installed. ((It)) always runs as long as the motherboard is receiving power, even when the computer is turned off."
According to the EFF it "has full access to memory (without the parent CPU having any knowledge); has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall".
You might even say that quality and security are orthogonal, at least in this particular case. That might not even be wrong.
I used to think the same until I got a T480. I was drawn to it because it was one of the few laptops that still has a direct hardware Function-key row (I use linux, so software Function Keys are not fun).
The keyboard, while mechanically excellent, is horribly designed if you depend on it to do your job: They "innovated" by moving the Home/End keys up to the Function row, they "innovated" by completely removing the context menu key from the keyboard and placing the PrintScreen key (of all things) in its place, and they also placed the Fn key at the bottom left corner of the keyboard where Ctrl is usually located (you can fortunately swap Ctrl/Fn with each other in the bios, so the last one isn't a issue if you're willing to live with mislabeled keys).
If you're a heavy keyboard user, I strongly suggest properly testing a laptop's keyboard before buying.
While I never used the context key (and indeed neither my 60% layout nor the original IBM Model M layout seem to have it anyway), I don't see the purpose of a Print Screen there either.
The Fn/Ctrl swap is... confusing. I'm guessing Lenovo tried to copy the MacBook format without thinking it through. Personally, I prefer Caps Lock as Control, though. I never use Caps Lock.
Home and End on laptops have almost always (it seems) been up on the function row. On a traditional layout, they're to the right, which obviously would not work on smaller form factors. Even with the 7-row keyboard, it was on the top.
Having tried other light laptops including the MacBook 13, the XPS 13, the HP Spectre 13, the Razer Blade Stealth, and the Dell Latitude 73 something or other (this was pretty good)... they just can't compete mechanically. No concavity on the keycaps is a big bummer. Some of them are obnoxiously loud. Some of them have piss-poor tactile feedback. Some of them are okay, but lack travel. Some of them bottom out too hard. Some of them bottom out too softly. It's a rough keyboard game out there. None of the layouts work for me on their own, so I always have to end up tweaking them slightly to my tastes. Caps Lock is useless to me, and I prefer Backspace being one key down. I've considered swapping Right Shift, but I'm not sure what to swap it to. Any ideas?
Personally, I'm currently standardized&stockpiled on two legacy ThinkPad models, and one of the reasons is keyboards. I also transplant keyboard parts manufactured to T60 specs, into later models, because Lenovo started making the keyboard flex-prone, even as the part was otherwise equivalent.
For some reason some screws have fallen out the S1 and I have no idea where to get replacements, but it still feels fairly sturdy. I like the keyboards on both machines even though they are very different. The track pads are decent for a Windows laptop.
I really wish Lenovo would open retail stores. It would be nice to be able to try the machine out before you buy it and have a local place to take it for service.
The cruft that they pack in are a bunch of system utilities that replicate the basic Windows tools. It's mostly stuff about Wifi management, power management, etc... None of it seems to be very well made and I recommend getting rid of it all and getting as close to a stock version of Windows as you can.
Here's a random article covering it https://www.howtogeek.com/226308/the-windows-platform-binary...
You can find others by searching for "lenovo wpbt" or "lenovo unremovable crapware".
I guess that is what the feature is designed for, though.
What feature did you pay to unlock on iPod touch? I'm struggling to remember...
The first iPod touch had a broadcom chip that supported Bluetooth, but wasn't supported in the software stack. You needed to upgrade to use the Bluetooth hardware that you had already paid for.
By making updates paid, Apple was charging users for work that had been done on the software side after the user made their initial purchase.
<conspiracytheory>That's probably why the phone manufactures were asked by Google and the carriers to remove that feature.</conspiracytheory>
Edit: As pointed out by josteink, the BIOS wasn't backdoored - it was used to install a backdoor. But calling what it installed "insecure Windows-software" is also inaccurate. According to https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci..., its purpose was man-in-the-middle attacks against the user. So I still think criminal liability and jail time would be just. Ordinary people have been sent to jail for far less.
The BIOS itself was fine, but it contained insecure Windows-software which it requested/instructed Windows to install.
Install any other OS (like Linux) and there would be no backdoor at all.
To be clear I’m not trying to defend Lenovo’s actions here, I’m just trying to be clear about what this incident was actually about. The simplistic description is IMO a bit too simplistic in this case.
That would be up to a prosecutor. A civil suit would take the form of a class action.
I think it would be perfectly fair for Microsoft to require OEM licensees to not use that feature for shitware installations. I can't see how that would fall afoul of antitrust or related regulations. Maybe I'm wrong though, that was a while ago and it wasn't my specialty when I practiced law.
UEFI doesn't install anything. It provides a machine-specific binary for Windows to install (intended to ensure that Windows has proper drivers for all the machine’s hardware).
Windows then decides to install this, based on the assumption that OEMs won’t bundle non-critical shit-ware using this method. Which has turned out to be the faulty assumption here.
Either way: Use any other OS except Windows and these UEFI-bundled binaries does nothing. They’re duds.
UEFI doesn’t need to be “tricked” and it can’t force the installation of anything into an OS not wanting it.
It’s really simple, so no need to invent overly complicated threat models.
For example, would loading Grub first, and then loading Windows from Grub, prevent the issue?
The laptop is certainly nice though.
I will probably still buy one if it materializes, and is functional.
I didn't want to use PureOS so I installed NixOS and everything seems to work fine.
I used to have an issue where the fan would get stuck on high after resume, but I think that was fixed when I updated coreboot to the latest version.
If you wipe the whole disk, you still need to use a bootable restore USB to restore it.
This has nothing to do with the fact that it is UEFI booting.
You don’t have to keep supporting Samsung by buying their phones. Get a pixel instead.
Being virtually stock Android, pre-installed software is easily disabled (even FB) - the only major complaint is inability to assign Bixby button to something else without rooting.
I hadn't messed with tasker in a long time but that got me back.
(for example, the Moto G7. Of course, lots of people have Lenovo concerns)
After my "flagship" HTC10 became unusable within 2 years because of battery issues, I was in the market for a new phone. But I was determined to not spend over $250. I ended up with Nokia 6.1. The only issue with it is that it is just a little slow because it uses snapdragon 435 (I think). However for the same reason it's battery lasts up to 2 days. Other stand-out features are unibody metal design, and Android One (meaning no bloatware). I bought it for only $180 from Best Buy after price match, and sold the HTC for $60 at decluttr.com. I think this is one of the best value purchase I ever made- up there with a Toyota Corolla.
With that being said, I'll be switching to an iPhone for privacy reasons, starting with my next phone and I've been a loyal Android user since Google started with the G1. How times have changed...
Also HMD Global seem to be reliable at giving the security updates OTA.
I haven't looked at the newer Nokia 7.1.
But, well, put it this way. If Google or Apple had offered first-party solutions to each of those services, would they be criticized for offering bloatware as well? No, probably not. So, is the issue here that the services aren't first-party (Spotify) or that they aren't from traditionally trustworthy sources (McAfee)? If it's the former, why does it matter? If it's the latter, then Samsung should be more clear about the extent of the influence of the other company, which they are not, but that shouldn't necessarily exclude them from collaborating.
Now, there are some key issues that should be criticized. Hard. A persistent notification? It's unforgivable. Facebook? The amount of tracking they can do makes them a threat to the device. It's basically spyware. It can be disabled, sure, but it shouldn't be enabled in the first place (except to enable Gear VR, I guess).
But really, can you trust any major tech company, considering programs like PRISM exist and are in operation? What differentiates Google from Apple when the device is still able to transmit whatever it wants to whoever it wants however it wants? Apple or Google may or may not be tracking some piece of data, but that doesn't necessarily mean that it isn't being collected and tracked by someone. That the companies themselves don't happen to store the data that happens to be the very thing they make their money protecting and using? It's definitely better in that your data isn't being used for the company's profit, but is it really any better for privacy from, say, the government?
The tech community seems to assume that software from Apple and Google will be well-thought-out and useful, and will be easy to dismiss if the user doesn't want it. The community seems to assume the opposite of anything from any other hardware company.
Honestly, those assumptions seem correct about 80% of the time.
ly bad
Wait, can you expand on this? Are you saying (current, existing) Bluetooth radios can be used for location tracking without additional hardware/OS support?
My other choices are Google (expensive, multiple Nexus letdowns in past), Samsung/LG (awful software), Chinese phones (crapware, I don't trust), Sony (abusive relationship), a bunch of other brands with other reasons I dislike, or iPhone (costly and I don't like the UI).
Rooting will still give you the most functionality, but Samsung has finally at least partially relented.
On mine the plastic frame cracked between the power button and the volume control (I think a reasonably common problem with this phone, I've never had a frame crack on any other phone). After that one button gets stuck on, which makes phone cycle reboot - OK - I can workaround that. Then the microphone went bad: that is caused by the crack causing pressure on the micro-connector which causes an electrical issue. That wasted more time and eventually my workaround for that issue failed.
I have had close experience with 5 different Nexus devices, and 4 of the 5 had nasty failure modes.
The Nexus line has been far less reliable than the iOS devices I have had experience with, and all the Apple devices got far more security updates over their useful life. Note: I usually use Android phones and iPad tablets (although I have also personally had iPhones and Android tablets).
And then I heard the horror stories of everyone in my office who, having had a great experience with the N5, went and bought a Pixel.
So my two complete failures due to the crack were not "catastrophic" then?
The case cracking is common, and those two failures were common enough: most users would consider the phone uneconomic to fix, and not everyone has my tenacity or skill to waste time fixing their phone.
I also think it was that phone where the flash slowed enough to make it barely usable.
Back on topic.
The only Nexus I have had that hasn't had a problem was a Samsung Nexus 10 (still goes, but stuck on insecure Android 5.1).
The only Samsung phone I have had was the original Galaxy Nexus, which was still going when I gave it away last year. It's problems were: 1. screen burnin (OLED) and 2. Google didn't release Android 4.4 (due to TI dropping OMAP4 support?) even though 4.4 came out within 2 years. That phone cost more than an iPhone 4. My colleagues got iPhone 4 phones at the same time, and they got updates for twice as long and their phones remained useful for far longer.
So my experience with Samsung hardware has been good. I have always avoided buying Samsung because I hate their modified Android versions and lack of updates.