12. The Weekly Shatter
Here are a few highlights from each article we discussed:
- The Dell SupportAssist utility is pre-installed software that comes on many Dell computers, that is designed to “proactively check the health of your system’s hardware and software”.
It works by running a web server locally on the system and accepting various commands from certain sites. In this case, the researcher (Bill) found it when the utility was able to automatically detect his PC and install the correct drivers he needed (CVE-2019-3719).
- The vulnerability here is that this utility can allow for remote code execution. If the attacker can bypass the referrer/origin check, he or she can send their own commands to the system.
- Bill identified 4 ways this can be achieved:
- Find a Cross Site Scripting vulnerability in any of Dell’s websites (I should only have to find one on the sites designated for SupportAssist).
- Find a Subdomain Takeover vulnerability.
- Make the request from a local program.
- Generate a random subdomain name and use an external machine to DNS Hijack the victim. Then, when the victim requests [random].dell.com, we respond with our server.
- Bill went with option 4 and used a MITM attack to trick the utility into accepting his malicious payload. Dell has since patched the vulnerability and released an advisory on it.
- Dell patched it before it was known to be exploited in the wild, but now that PoC code is out there it could be exploited on non-patched systems.
- What should users do? Patch your stuff.
- The authorities are being fairly tight-lipped about this incident, which suggests to me that possibly this thing was more serious than what’s being portrayed thus far.
- The United States Department of Energy probably has rules about how they talk about these things—specifically avoiding words that sound overly dramatic, like “attack,” “catastrophe,” or “bouillabaisse”.
- Two Brazilian hackers carried out this attack.
- They defaced Cartoon Network websites by replacing videos of popular cartoon shows with videos of Arabic memes, Brazilian hip-hop songs, slideshows of various memes and funny images, and videos of Ricardo Milos, a well-known Brazilian male stripper.
- The defacement was carried out on April 25 and the defacement was live for 3 days.
- Cartoon Network portals in the UK, Hungary, Romania, Germany, Russia, Poland, the Czech Republic, Denmark, Norway, the Netherlands, Italy, Turkey, Mexico, Brazil, the Africa region, and the Arabic region were affected.
This Week’s Hoodie Scale
What the Dell?!
[Tim]: 6/10 Hoodies
[Emily]: 6/10 Hoodies
Threat Actor Goes on a Power Trip
[Tim]: 2/10* Hoodies
[Emily]: 3/10 Hoodies
Cartoon Network Dances On Air
[Tim]: 4/10* Hoodies
[Emily]: 3.5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!