About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

One-Click RCE in ASUS’s Preinstalled Driver Software- 1658

Mr BruhPosted 9 Months Ago
  • The author of this post bought a ASUS motherboard for their PC. Under the hood, it installed a bunch of software into the OS. One of these pieces of software was the Driver Hub. Its job was installing software from driverhub.asus.com via a background process.
  • The website uses RPC to talk to a background processing running on the system. The background process hosts an application locally on 127.0.0.1 on port 53000. Given that any website can interact with 127.0.0.1 on your local system, this was a pretty interesting attack surface. The ability to install arbitrary software would be pretty cool!
  • The driver had a check to ensure the origin was set to driverhub.asus.com. However, the origin check was flimsy. It was a startsWith check it appeared. So, driverhub.asus.com.mrbruh.com was also a valid request to it. After a long while of reverse engineering the .exe, they found a list of callable functions, including InstallApp and UpdateApp. The UpdateApp would take a URL (which was poorly validated again) and run any signed executable by ASUS. The signature check likely means that RCE isn't possible.
  • The way UpdateApp works has some nuances though. Here's the flow:
    1. Saves the file with the name specified at the end of the URL.
    2. If the file is executable by ASUS then it will be executed with admin permissions.
    3. If the file fails the signing check, then it does NOT get deleted.
  • The author looked into the packaging of the WiFi driver. It contained a ZIP file with an executable, a command script and a configuration file. The AsusSetup.exe from this package is a signed installer that uses other components inside of the zip file to install things. Based upon the information within the configuration file, it would execute SilentInstallRun without any signature checks. Additionally, adding the -s flag made this not even pop up a box for installation.
  • Here's the full exploit:
    1. Create a website with the domain driverhub.asus.com.* .
    2. The website will make a request to download a binary via UpdateApp This is not executed right away..
    3. Call UpdateApp again with the custom AsusSetup.ini file.
    4. Call UpdateApp one final time to trigger the vulnerability.
  • Overall, a great find and a solid bug report!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed