Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Dell SupportAssist is an overarching solution on all Windows systems that can help/monitor hardware and software problems. BIOSConnect is a feature of SupportAssist that allows remote OS recovery or firmware updating. If there are a vulnerability in this, it would be quite bad!

The BIOSConnect feature to accept any valid wildcard certificate when it connects to the Dell server. Because anybody can create a valid certificate, this breaks the security of DNS. Now, an active interceptor can spoof the endpoint!

With UEFI Secure Boot is disabled, this allows for a malicious image to be loaded via the BIOSConnect. Eventually, this allows for code execution within the pre-boot environment.

With Secure Boot enabled, it is not simple enough to load the malicious image. This is because of signage and other things that occur when loading the image. This means we need more vulnerabilities in order to exploit this!

Because vulnerability #1 allowed for MitM attacks, we can abuse that. The data being sent back has parsing issues that lead to buffer overflow vulnerabilities in the OS recovery process and the other in the firmware update process.

From a real world perspective, I doubt many people would be seriously effected. First, you need an MitM position, which is not trivial to get. Second, the bugs are only possible to exploit when this service is in use. I personally have never used this service before, meaning this would take a long time to exploit.

I'm not a huge fan about how this post was marketed. Although I love the research, they do few things that are frustrating. First, the actual researchers are never credited in the article (besides the person doing the webinar, maybe). Secondly, they do not include all of the details; instead, they are waiting until DEF CON to expose. And finally, because the service needs to be used for this exploit to work and the MitM requirements, I think this is overhyped.