Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Armoury Crate is an app that can be used to configure, connect and control ROG gaming products. This product can be used to customize RGB lighting and many other parts of the system.

The author knew this program ran with very high privileges. As a result, they wanted to see if they could find a privilege escalation vulnerability. In particular, they started looking for DLL Hijacking vulnerabilities.

When looking for DLL Injection bugs, procmon is a great tool, as it can be used to filter different calls and results. When looking for these bugs, CreateFile with a "NO SUCH FILE" or "PATH NOT FOUND" result could potentially be a bug.

If the process is running with high privileges and cannot find the DLL, then we can add our own to the search path. This will then loaded into the binary, resulting in code execution in the context of the application.

This DLL hijacking vulnerability exists in the application for two reasons. The first one is that the DLLs were not cryptographically signed and not validated for the signatures.

The second vulnerability is that the ACLs (access control list) for the directory C:\ProgramData\ASUS\GamingCenterLib\ were not properly configured. The DLL hijacking will go through multiple directories (including the ProgramData) once it cannot find the original DLL.

From both of these bugs, it was possible to add a DLL to the C:\ProgramData\ASUS\GamingCenterLib\ directory.

An interesting note was that the author enabled Options->Enable Boot Loggin for ProcMon to see the loading process of the binary. Otherwise, they may not have found the bug.