Remote Code Execution Found on Dell Computers
When Bill Demirkapi was on the lookout for a new computer, he decided on Dell’s G3 15 laptop.
"I decided to upgrade my laptop’s 1 terabyte hard drive to an SSD," writes Bill in his blog, titled 'Bill Demirkapi's Blog: The adventures of a 17 year old security researcher'. "After upgrading and re-installing Windows, I had to install drivers. This is when things got interesting. After visiting Dell’s support site, I was prompted with an interesting option."
That option was to 'Enter a Service Tag, Serial Number, Service Request, Model or Keyword' ... OR ... (let the Dell support website) 'Detect PC'
The second option piqued Bill's interest. He thought it 'suspicious that Dell claimed to be able to update my drivers through a website', so he 'opened the Chrome Web Inspector and the Network tab and pressed the "Detect Drivers" button.'
From there Bill delved into the workings of his laptop, where, after much snooping around, he came across a Remote Code Execution vulnerability.
We'd love to go into the full detail of how Bill discovered this vulnerability, but he has done a splendid job of detailing his journey (using many screen grabs) in his blog, which can be read HERE.