[VulnWatch] Dell TrueMobile Wireless Help Privilege Escalation Vulnerability

[Ian Vitek <ian.vitek@sigtrap.org>]

Dell TrueMobile Wireless Help Privilege Escalation Vulnerability
================================================================

Overview
--------
Successful exploitation elevates the local user rights to SYSTEM. This may only 
be considered a threat on a multi user system (Terminal Services, Citrix or a 
public computer).

Verified systems
----------------
Windows XP and Dell TrueMobile 1300 WLAN Mini-PCI Card Utility Tray Applet 
Version 3.10.39.0.
Other operating systems and versions may be vulnerable.

Description
-----------
The SYSTEM rights are not dropped when accessing the Dell TrueMobile Wireless 
Help from the systray applet. By right clicking and choosing Help -> Help Files 
and then from the help; Jump to URL C:\WINDOWS\SYSTEM32\CMD.EXE, gives you 
SYSTEM privileges. You can also gain SYSTEM privileges by right clicking and 
choosing Help -> About. By clicking on a link, Internet Explorer will start 
with SYSTEM privileges. Programs started from the web browser do not get their 
privileges dropped. 

Vendor contacts
---------------
Feb 21 2004 02:08
From: csd at dell dot com
To: dell at sigtrap dot org
"Please ensure that your customer account or order/invoice number
is included with your reply."

Feb 21 2004 02:52
From: dell at sigtrap dot org
To: uscemcsd1 at dell dot com
"You (Dell) have a security problem in your (Dells) software.
Detailed description below.
I don't have any problem.
If you (Dell) want to close this case, please do, but contact me ( dell at 
sigtrap dot org  ) first."

Feb 21 2004 15:54
From: csd at dell dot com
To: dell at sigtrap dot org
"I apologize, but I am unable to locate your account under this
e-mail address."

Dell tracking number: AT20040220_0000021076

Credit
------
Discovered by Ian Vitek