Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Security Advisory: Dell Foundation Services Remote Information Disclosure (II)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Security Advisory: Dell Foundation Services Remote Information Disclosure (II)

joepie91joepie91 Member, Patron Provider

Round two three four!

Dell Foundation Services starts an HTTPd that listens on port 7779. The previous service tag leak was fixed by removing the JSONP API.

However, the webservice in question is still available; it is now a SOAP service, and all methods of that webservice can be accessed, not just the ServiceTag method.

One of the methods accessible is List GetWmiCollection(string wmiQuery) - this returns the results of a given Windows Management Instrumentation (WMI) query, enabling access to information about hardware, installed software, running processes, installed services, accessible hard disks, filesystem metadata (filenames, file size, dates) and more.

So yeah, they've made it worse. Figured people here would like to know :)

More: http://lizardhq.org/2015/12/01/dell-foundation-services.2.html

Thanked by 2netomx Carpe

Comments

  • What servers would this be on? IDrac?

  • joepie91joepie91 Member, Patron Provider

    @Mun said:
    What servers would this be on? IDrac?

    Ah, I should've been clearer about that, I guess. The issues with Dell Foundation Services have been found on laptops - I don't know whether it affects servers at all. It's the same class of issues as the two rogue certificates and the service tag leak.

  • Great. My server is also a dell one on windows. Idrac6 is beneath windows.

    Thanked by 1netomx
  • @joepie91 said:
    Ah, I should've been clearer about that, I guess. The issues with Dell Foundation Services have been found on laptops - I don't know whether it affects servers at all. It's the same class of issues as the two rogue certificates and the service tag leak.

    Thanks for the clarification, I don't personally have any dell laptops so I don't think I am affected. "yeah!"

  • netomxnetomx Moderator, Veteran

    Fuck

  • KuJoeKuJoe Member, Host Rep

    I'm more concerned about the complete lack of information about "Dell Foundation Services" both on Dell's website and Google in general. I found a thread about people asking what it was on Dell's forums and through piecing together a bunch of posts from people essentially reverse engineering some things I was able to figure out it doesn't appear to be server related and is limited to Windows OSes. Thanks Dell! Love your servers but hate your (lack of) documentation!

  • GM2015 said: Great. My server is also a dell one on windows. Idrac6 is beneath windows.

    If you've used an image provided by dell or their automatic driver installation program, you're infected with the described malware.

    Thanked by 1GM2015
  • Who doesn't rip all this crap out of the OS immediately after setup?

    Thanked by 1gsrdgrdghd
  • Will re-install OS on a Dell lappie asap. Thx!

  • tehdan said: Who doesn't rip all this crap out of the OS immediately after setup?

    Some shit (like the SSL certificate provided by Superfish malware or eDellRoot malware) will be left behind if the host program is installed.

  • Rallias said: Some shit (like the SSL certificate provided by Superfish malware or eDellRoot malware) will be left behind if the host program is installed.

    First step when buying a new computer with OEM Windows installed is always formatting it (and removing any vendor partitions) and installing a proper Windows or Linux.

    Thanked by 1geekalot
  • This is why you don't just run Windows ...

  • oh dear, I agree with @singsing on something :)

    Thanked by 1geekalot
  • varwwwvarwww Member
    edited December 2015

    Can you give an example on how to use this?

    wmic('','');

    An example with 127.0.0.1 ? Want to try this out on my friends IP and freak him out :P

Sign In or Register to comment.