PC Doctor monitors Archives

[German]PC-Doctor SupportAssist, which is pre-installed on many Dell systems, has a serious security vulnerability that allows permissions to be exploited. The component is also found in products from Corsair, Staples and Tobi. Dell has released an update.

I have already been informed of the topic by blog readers Leon from Greece a few days ago. Leon had sent me the link to this website. During last weekend other blog-readers also send me similar hints. Thank you very much for the information. Unfortunately I haven’t time to publish an article about this topic.

Background: PC-Doctor Toolbox for Windows

The PC-Doctor SupportAssist is a rebranded component of the PC-Doctor Toolbox for Windows. This software can be downloaded from this website, and contains various feature for monitoring a PC. If you read the feature description, the software is a ‘must have’. But I myself would describe it as ‘snake oil’, which is advertised as a universal solution, but not really needed.

But various OEMs such as Dell ships this toolbox or components of it on their systems – sometimes under a slightly different name. The components that enable Dell’s SupportAssist to access sensitive low-level hardware (such as physical memory, PCI and SMBios) come from the PC-Doctor Toolbox and were written by PC-Doctor. Also products of Corsair, Staples and Tobi contain this PC-Doctor Toolbox for Windows or at least components of it.

Dell SupportAssist

Dell SupportAssist is a software that comes from the PC-Doctor Toolbox mentioned above and is pre-installed on most Dell PCs. The software proactively checks the state of the system’s hardware and software. These ‘health checks’ of certain system components require permissions at a high level – i.e. administrator rights are required. To perform actions that require high permissions, a signed driver is installed in addition to several services running as a SYSTEM. So much for preliminary remarks on the subject.

SafeBreach finds serious vulnerability

Such constructions naturally arouse the interest of various safety researchers, including Peleg Hadar of SafeBreach Labs. In the first approach, he concentrated on the services concerned, as he writes on this website. Especially the service “Dell Hardware Support” is critical, because it allows access to the PC hardware with high authorization level and has the possibility to initiate a privilege escalation.

After the Dell hardware support service is launched, it runs the DSAPI.exe program, which in turn starts pcdrwi.exe. Both processes then run with the authorization level SYSTEM. Next, the service runs numerous PC Doctor programs that collect information about the computer’s operating system and hardware. These executable files are actually normal PE files, but have a different extension – “p5x”.

All these executables load DLL libraries that have the ability to collect information from various sources (software and hardware). After the libraries were loaded, the security researchers discovered the following via ProcMon:

(Click to zoom)

Three of the p5x executables attempt to call the following DLL files in the c:\python27 branch (located in the PATH environment variable):

• LenovoInfo.dll
• AlienFX.dll
• atiadlxx.dll
• atiadlxy.dll

At this point you don’t really need to read any more – because this construction, which almost is a notorious case for DLL hijacking, I have discussed in various blog posts in a different context. Stefan Kanthak has found this construct, which is a potential vulnerability, in many software packages and provided me with a test bed to detect such vulnerabilities (calling dependent DLLs). Peleg Hadar, of SafeBreach Labs, writes that he examined the whole thing in a VM. This revealed serious beginner mistakes made by the developers of the PC Doctor tools.

The c:\python27 directory in the test environment had an ACL that allows any authenticated user to write files to this folder. This makes a privilege extension a breeze. This allows a normal user (and thus running malware) to store a DLL file in this folder. He only has to overwrite one of the DLL files mentioned above with his own DLL of the same name. As soon as the tools of the PC-Doctor are called, they execute the manipulated DLL with the permissions of SYSTEM. The DLL then has control over the system and can perform arbitrary actions.

The SafeBreach Labs article ontains further analyses that explain the internal structure of the PC Doctor tools. Basically, however, all of this can be reduced to: The whole software is big crap and should be uninstalled from the system pronto. At the end of th eSafeBreach Labs  article other affected software products like CORSAIR Diagnostics, Tobii I-Series Diagnostic Tool etc. are also mentioned.

Blog reader Al-CiD sent me the link to a Dell security alert on Sunday. DSA-2019-084: Dell SupportAssist for Business PCs and Dell SupportAssist for Home PCs Security Update for PC Doctor Vulnerability describes the CVE-2019-12280 vulnerability. This vulnerability has been classified as High in terms of threat level and affects the following Dell software.

• Dell SupportAssist for Business PCs version 2.0
• Dell SupportAssist for Home PCs version 3.2.1 und vorherige Versionen

Dell states that subsequent versions of Dell SupportAssist for Business Systems and Dell SupportAssist for Home PCs provide a solution to the problem:

• Dell SupportAssist für Business-PCs Version 2.0.1
• Dell SupportAssist für Heim-PCs Version 3.2.2.2

Dell recommends all customers to perform updates (auto update or manual update) as quickly as possible. The Hacker News have also published articles on the topic. My recommendation is to uninstall this software and left this snake oil from the system as soon as possible (if possible). Background of this statement: Once I have never needed anything like this on my systems before. Secondly, I assume that the ACL settings have simply been adjusted in such a way that access to the folder is no longer possible for every user. Which vulnerabilities (also with regard to DLL hijacking) still left is unclear. Only recently Dell had to update the SupportAssist because of a remotely exploitable vulnerability.

Rising PC Doctor includes eight function modules like “Audit”, “Protection” “Anti-Trojan”, “Leaks”, “Repair”, “Optimization”, “Expert Tools”, and “Top Software”. It can update function components in accordance with users’ demands and internet security issues to meet the various demands of different users.

Anti-Trojan

Rising PC Doctor software has multiple convenient and easy-to-operate methods of searching and killing Trojans, including Quick Scan, Overall Scan and Custom Scan.

Leaks Fixing Function

Users can use default Leaks settings that are recommended by Rising PC Doctor, or customize the Leaks that need repairing by clicking “Repair immediately “button to repair them. Or users can check relevant vulnerability settings and click “Ignore “button to add these Leaks to the list of ignored items.

Computer Repair

Users can use default repairing settings that are recommended by Rising PC Doctor, or customize the dangerous items that need repairing by clicking “Repair immediately” button to repair them. Or users can check relevant dangerous items and click “Ignore” button to add these dangerous items that users think safe to the list of ignored items.

Computer Optimization

The Optimization functions of Rising PC Doctor include: Optimize Startup, Process Management, Clean Plug-ins, Clean Junk Files, Clean Private Information.

The application is suitable for users that that are tasked to maintain the integrity of and repair when needed different types of Total Recall VR archives. The application can also be used to convert each type of a Total Recall VR archive to any other type of a Total Recall VR archive.

In summary, the application offers:

• Integrity check of data stored in archive databases.
• Integrity check of recordings stored in archives in the trc file format.
• Rebuild of any type of archive to any type of archive.
• Convert legacy disc archives (from 4.x systems) to latest generation archives.

Runtime

Total Recall VR Archive Doctor is a Java™ application that is designed to run on a PC with the Windows™ 7, 8 or 10 operating system. The application depends on a number of mandatory and optional 3^rd party applications, libraries and drivers to run. For full details please see the User Guide for the application.

Licensing

Total Recall VR Archive Doctor is a licensed application and requires a valid Activation License to run.

Each Activation License activates one application only, is node-locked and not transferable. That is, each Activation License activates one instance of the application on one PC and cannot be used to activate a different application on the same PC, or the same, or different, application on another PC. If you retire a PC with an Activation License for an application, and wish to use the same application on a new PC, then you need to purchase a new Activation License for the application for the new PC. For full details see the full text of the software license.

You can purchase an Activation License now - cost AU$50.00. For volume licensing please contact us.

Alternatively, if you wish to trial the application for 10 days for free, then:

1. Download and install the application on a PC.
2. Activate the trial when you run the application for the first time.

Note that the application will automatically stop working at the end of the free trial period and it will not be possible to activate another 10 day trial on the same PC for the same application.