Dell TrueMobile Wireless Help Privilege Escalation Vulnerability

[Ian Vitek <ian.vitek () sigtrap org>]

Dell TrueMobile Wireless Help Privilege Escalation Vulnerability
================================================================

Overview
--------
Successful exploitation elevates the local user rights to SYSTEM. This may only be considered a threat on a multi user 
system (Terminal Services, Citrix or a public computer).

Verified systems
----------------
Windows XP and Dell TrueMobile 1300 WLAN Mini-PCI Card Utility Tray Applet Version 3.10.39.0.
Other operating systems and versions may be vulnerable.

Description
-----------
The SYSTEM rights are not dropped when accessing the Dell TrueMobile Wireless Help from the systray applet. By right 
clicking and choosing Help -> Help Files and then from the help; Jump to URL C:\WINDOWS\SYSTEM32\CMD.EXE, gives you 
SYSTEM privileges. You can also gain SYSTEM privileges by right clicking and choosing Help -> About. By clicking on a 
link, Internet Explorer will start with SYSTEM privileges. Programs started from the web browser do not get their 
privileges dropped. 

Vendor contacts
---------------
Feb 21 2004 02:08
From: csd at dell dot com
To: dell at sigtrap dot org
"Please ensure that your customer account or order/invoice number
is included with your reply."

Feb 21 2004 02:52
From: dell at sigtrap dot org
To: uscemcsd1 at dell dot com
"You (Dell) have a security problem in your (Dells) software.
Detailed description below.
I don't have any problem.
If you (Dell) want to close this case, please do, but contact me ( dell at sigtrap dot org  ) first."

Feb 21 2004 15:54
From: csd at dell dot com
To: dell at sigtrap dot org
"I apologize, but I am unable to locate your account under this
e-mail address."

Dell tracking number: AT20040220_0000021076

Credit
------
Discovered by Ian Vitek