CVE-2019-12280

Vulnerability

PC-Doctor Toolbox for Windows before version 7.3 contains an uncontrolled search path element that can lead to DLL hijacking [1]. The vulnerability affects the PC-Doctor Toolbox for Windows and also the Dell Hardware Support Service within Dell SupportAssist, as well as rebranded versions for other OEMs [1]. The issue arises when the system's PATH environment variable includes a folder writable by non-admin users and a malicious DLL is crafted to exploit PC-Doctor's administrative privileges [1].

Exploitation

To exploit this vulnerability, an attacker must first have administrative access to modify the system's PATH environment variable to include a folder writable by non-admin users [1]. Then the attacker places a crafted DLL in that folder, which PC-Doctor's service will load due to the altered search order, escalating privileges through the service's administrative rights [1]. The default Windows configuration does not allow this; the vulnerability is only reachable after a non-default change to the PATH [1].

Impact

Successful exploitation allows an attacker with initial administrative access to achieve privilege escalation [1]. The attacker can execute arbitrary code with the elevated privileges of the PC-Doctor service, which runs with administrative rights [1]. This could lead to full system compromise, including data disclosure, modification, or disruption of system functionality.

Mitigation

PC-Doctor released updates to affected customers between May 28, 2019, and June 17, 2019, fixing the issue in PC-Doctor Toolbox version 7.3 and later [1]. Almost all affected users were automatically upgraded [1]. Users should ensure automatic updates are enabled or manually check for updates within the product [1]. Dell also released a security advisory for Dell SupportAssist [2]. No other workarounds are documented; the fix is the recommended mitigation.