DCCService.exe is running on autostart as System.
This service has auto update functionality.
Basically it periodically checks
https://otbs.azurewebsites.net looking for new config file.
Under normal conditions we cannot spoof this connection because it’s SSL.
WebUtils.sendWebRequest() is executed using
RunImpersonated() executes given function in the context of currently logged in user.
In Windows system we can add any certificate to
Local user root store.
Then this certificate is considered as
trusted so we can perform MITM attack.
It can be done using simple proxy server because by default .NET
HttpWebRequest() uses IE proxy settings (which can by set by any user without administrator priveleges).
Config file looks like this:
So service checks if it has newest version installed and if not, it downloads a new one.
But before execution service also verify
b = chain.Build(cert); is running using
So this means we can add self-signed certificate with
cn=dell inc to user root store and it will be considered as trusted.
After all these checks downloaded file is executed as SYSTEM using:
So we can execute any
msi files as
This method has one drawback though: service checks config file only once per several hours, keep this in mind.
Proof of Concept:
ssl certificate for domain:
Put public and private keys into one
Then we need to generate code signing certificate and sign malicious msi file:
Successfull exection looks in log file like this:
- 05-02-2017: Discovered
- 05-02-2017: Vendor notified
- 07-02-2017: Dell acknowledged vulnerability
- 13-02-2017: Receive fix for testing
- 19-02-2017: Send blog draft and plan responsible disclosure date: 28.02.2017
- 22-02-2017: Dell requested additional time till end of March
- 13-03-2017: Version 220.127.116.11, A00 released
- 28-03-2017: Dell requested additional two weeks, till 14.04.2017