Here is an interesting group of vulnerabilities that make life easy for hackers and the Chinese (or Russians, or Ukrainians or pick your country).
- Dell has a couple of features in Dell Foundation Services. One allows an unauthenticated user to get the Service Tag (Dell’s version of a serial number) over the net. With that, you can go to Dell’s web site and get the complete hardware and software configuration of the computer – useful to hackers, intelligence agencies and scammers. Another bug allows an attacker to remotely execute Windows WMI commands which allow you to access the system configuration including running processes and the file system and remotely run programs. Dells service runs on port 7779 and provides a SOAP interface – for ease of exploit. Err, ease of use.
- Lenovo has a bug in Lenovo Solution Center. It listens on port 55555 and allows an attacker to remotely execute any program – with SYSTEM privileges based on a whole series of flaws described in the article below. This could also allow a local attacker to execute programs with more privileges than the user has.
Both of these, most likely, are done to make support easier for either the vendor or enterprise users – without regard to the security consequences.
In theory these ports should be closed from the Internet – but not always – read below. Still, if an attacker gets onto your local network some other way, this is an easy way to increase the attacker’s footprint in your network.
3. AOL Desktop, an absolutely antique piece of software from the early 1990s is still being run by some users. It was an early attempt to access the web in a graphical fashion when the only connectivity users had was slow dialup. It uses a proprietary language called DFO which allows AOL’s servers to execute functions remotely on a user’s desktop. Given this was written more than two decades ago, no one thought about requiring authentication and it did not use SSL to protect the data stream. This means that all an attacker needs to do is find a system that is still running this antique and it can own it in a heartbeat.
Potentially, attacks from the outside should be mitigated by the user’s firewall, but apparently not always.
John Matherly of Shodan, the search engine for Internet of Things attacks, did a quick search to see if he could find systems that responded. For the Dell feature, he found around 12,800 webservers that responded to that port. Of those, about 2,300 are running software that looks like it is from Dell, He ran a quick script and was able to collect about 1,000 Dell service tags. He didn’t try this for the other exploits – that I know about.
Obviously, we did not know, until now, about these wonderful Dell, Lenovo and AOL features. That doesn’t mean that hackers and foreign (or domestic) intelligence agencies didn’t know about them.
Why bother with really obscure and hard attacks to get into computers that you want to when you can just, basically, walk in the front door.
The big question is how many more of these features exist that we have not found.
And since manufacturers have no liability as a result (other than getting a little bad press that blows over quickly), they have no incentive to do things securely. And also, since they don’t even tell you that they are doing it, you as a user cannot make an educated decision as to whether you want the manufacturer’s “help” in this manner.
Soooooo, HOW MANY MORE FEATURES ARE THERE? Features that are here today or will be here tomorrow. As vendors try to help users without considering the security implications. This is just from a quick round up of the news that I happened to hear about today.
Information on the Shodan search can be found here.
For information on the Dell feature, go to LizardHQ.
For information the Lenovo feature, go to PC World.