00:00:00
one-click rce in ASUS's pre-installed
00:00:03
driver software. I saw this article. I
00:00:05
had to read it. Uh primarily because two
00:00:07
things. One, my motherboard fried a long
00:00:09
time ago and it was ASUS and I'm still
00:00:10
mad about it. But also two, I once again
00:00:12
went out and bought another ASUS
00:00:14
motherboard. So, I would like to know if
00:00:16
there is a remote code execution
00:00:18
vulnerability in the current setup that
00:00:20
I have in my studio. Let's dive right
00:00:22
in. Introduction. The story begins the
00:00:24
conversation about PC parts, about new
00:00:26
PC parts. I hope you're not getting it
00:00:28
for the Wi-Fi. Not particularly. I'll be
00:00:29
using the Wi-Fi though if needed. I
00:00:31
don't know a lot about MOOs. After
00:00:33
ignoring the advice from my friend, I
00:00:35
bought a new ASUS motherboard for my PC.
00:00:37
I was a little concerned about having a
00:00:38
BIOS that would try to silently install
00:00:40
software into my OS in the back. Yeah,
00:00:43
that Yeah, but it could be turned off.
00:00:45
So, I figured I would just do that.
00:00:47
Yeah. So, this is one of those things
00:00:49
that I'm really not super into, but like
00:00:52
there are a lot of new motherboards that
00:00:54
come out that allow the user to just
00:00:57
have stuff put on the on the computer
00:00:59
like without you asking. And like what
00:01:01
it's just it's weird because like
00:01:03
obviously the BIOS is a lower ring than
00:01:06
your OS. So, like it's allowed to do
00:01:08
that. But the fact that it does do this
00:01:10
and like in your BIOS you can just like
00:01:12
turn it on like install applications for
00:01:14
me when I'm not looking is like super
00:01:15
weird. Now guys, I can assure you the
00:01:17
story today is pretty good. But an even
00:01:19
cooler story is the one from the sponsor
00:01:21
of today's video. It's me. Guys, I
00:01:24
honestly believe that if you're a
00:01:25
programmer trying to write fast,
00:01:27
effective code or you're a cyber
00:01:28
security professional trying to stop
00:01:30
your stuff from getting attacked, all of
00:01:31
these require you to know the basic
00:01:33
fundamentals of computers. My courses on
00:01:36
the level academy teach you languages
00:01:37
like C, networking in C, threading in C,
00:01:40
assembly, and even a new installment,
00:01:42
Rust, to learn the basics of how
00:01:44
computers work. And zero to her C
00:01:46
programming will teach you the basics of
00:01:47
the C programming language, the language
00:01:49
that runs all other languages. And you
00:01:51
can even learn arrays in C right now for
00:01:53
free. Go check that lesson out. If you
00:01:54
want to learn assembly, my ARM load
00:01:56
operations lesson is also free. And I
00:01:59
also have a free 3-day Course that you
00:02:02
can check out right here on the landing
00:02:03
page. Guys, if you want to be a good
00:02:05
programmer, you got to know the
00:02:06
fundamentals. And where do you learn the
00:02:08
fundamentals? On Lowle Academy. All
00:02:09
right, guys. Back to the video. See you
00:02:10
there. Immediately after logging on to
00:02:12
Windows, I was hit with a notific I'm
00:02:14
actually curious. How does this even
00:02:15
work? Like how how does it hook the OS
00:02:17
on the way up to like do this? Like
00:02:19
where does that process happen? That's
00:02:20
very interesting. Immediately after
00:02:22
logging into Windows, I was hit with a
00:02:24
notification requesting admin
00:02:25
permissions to complete the installation
00:02:27
of ASUS driverhub. Because I forgot to
00:02:29
change the BIOS option. Oh yikes. So he
00:02:32
didn't even turn this off. It just
00:02:33
happened automatically. Since I needed
00:02:34
to get a Wi-Fi driver for the
00:02:36
motherboard anyway, I got curious and
00:02:38
installed it. Uh would you like to
00:02:40
install the Armory Crate and LAN driver?
00:02:42
Uh funny story actually. I have this
00:02:44
installed right now. I'm probably going
00:02:45
to go disable this real quick. BRB. I
00:02:48
don't have a screenshot of Driver Hub,
00:02:50
but it showed up like a popup exactly
00:02:52
like this in the bottom right hand of my
00:02:53
screen. Dude, this reminds me of like
00:02:55
when you were a kid if you would if you
00:02:57
deleted something or like like Empire
00:02:59
Earth wouldn't run. It said like you
00:03:01
can't find DirectX329.
00:03:04
DLL. So, you would go and Google like uh
00:03:06
DirectX329.
00:03:08
DL download and you would get some
00:03:10
sketchy like, "Oh, go to dlfiles.com and
00:03:14
install our DL installer." Like that
00:03:16
kind of It looks It looks exactly
00:03:18
like that. It It looks like one of those
00:03:21
sketchy freaking websites. That's crazy.
00:03:23
Okay, DriverHub is an interesting piece
00:03:25
of driver software because it doesn't
00:03:27
have any guey. Instead, it's just a
00:03:29
background process that communicates
00:03:30
with the website driverhub.asis.com
00:03:33
and tells you what drivers to install
00:03:35
for your system and which ones need
00:03:37
updating. Naturally, I wanted to know
00:03:39
more about how this website knew what
00:03:40
drivers my system needed and how I was
00:03:42
installing them. So, I cracked open the
00:03:44
Firefox network tab. And as expected,
00:03:46
the website uses RPC to talk to the
00:03:48
background process running on my system.
00:03:50
This is where the background process
00:03:52
hosts an HTTP or websocket service
00:03:54
locally, which a website or service can
00:03:57
connect to by sending an API request to
00:04:00
127001
00:04:02
53,000. Yo. Okay. So immediately
00:04:06
immediately. Yeah, this guy my hacker
00:04:08
senses are tingling. Mine mine are
00:04:09
tingling too. Like if you just have an
00:04:12
RPC Damon that the web browser can
00:04:15
access that screams vulnerabilities to
00:04:18
me. Now ideally they're doing some kind
00:04:20
of sanitization and like SSL TLS
00:04:23
certificate pinning so that like not
00:04:24
anybody can talk to that Damon. But
00:04:27
immediately this is not smelling good to
00:04:29
me. All right. This is a very sketchy
00:04:32
way to design driver management
00:04:33
software. Yeah, it is. As what the hell
00:04:35
are you doing? If the RPC isn't properly
00:04:37
secured, it can be weaponized by an
00:04:38
attacker to install malicious
00:04:40
applications. Yeah. So, again, like he
00:04:42
he and I are on the same page here. This
00:04:43
is crazy. Finding the
00:04:45
vulnerability. Okay, so there there was
00:04:47
a bug. Oh god. I mean, obviously he
00:04:49
wrote an article, so like you wouldn't
00:04:50
just write it about nothing, but still.
00:04:51
The next step was to see if I could call
00:04:53
the RPC from any website. This was
00:04:55
replicated by copying the request from
00:04:57
my browser as a curl command and pasting
00:04:59
it into my terminal. After fiddling with
00:05:00
variations of the command for a while,
00:05:02
my assumptions were confirmed. DriverHub
00:05:04
only responded to requests with the
00:05:06
origin header set to driverhub.asis.com.
00:05:09
So, at least website wasn't completely
00:05:10
busted and evil, hackers can't just send
00:05:12
requests to driverhub willy-nilly. I
00:05:14
mean, sure, but like an origin check
00:05:15
isn't super good either because like if
00:05:17
there's not any certificate pinning on
00:05:19
this, anybody could set their origin to
00:05:21
be anything. You could just like do a
00:05:22
DNS spoofing or like there's a lot of
00:05:24
ways you could get around that. However,
00:05:25
I wasn't done yet. Yeah, I hope not.
00:05:26
Presumably, the program checks the
00:05:28
origin is driverhub.asis.hub
00:05:30
and if so, it accepts the RPC request.
00:05:32
What I did next was see if the program
00:05:34
did a direct comparison like origin
00:05:36
equals or if it was a wildcard like
00:05:39
origin.includes. Oh no. When I when I
00:05:43
switched the origin to
00:05:44
driverhub.asis.commrbra.com
00:05:47
is who is this? Is Mr. Broad this guy?
00:05:49
Oh, I'm literally on mrbra.com. Okay, I
00:05:51
understand now. It allowed my request,
00:05:54
brother. No way, man. Oh, no, dude.
00:06:01
There's this thing in software where I
00:06:04
think like, oh, if they're writing UEFI
00:06:07
firmware, if they're releasing
00:06:10
motherboards, and obviously they're
00:06:12
skilled programmers, and obviously
00:06:14
they're going to know like security
00:06:16
principles and like the basics of
00:06:19
setting boundaries in software, but
00:06:20
using a wild card on an origin header is
00:06:23
just like, guys, are we are are we what
00:06:27
are we are we trying or what? It was
00:06:29
obvious now there was a serious threat.
00:06:31
The next step was to determine how much
00:06:32
damage was possible. Yeah. So
00:06:34
effectively there's no authentication on
00:06:36
this RPC. Damon, he can just arbitrarily
00:06:39
set his origin header to something that
00:06:41
contains this and bada bing bada boom,
00:06:44
he gets to talk to the RPC. The extent
00:06:46
of the damage by trolling through the
00:06:48
JavaScript on the website and about 700k
00:06:49
lines of decompiled code that an exe
00:06:51
produced, I managed to create a list of
00:06:53
callable endpoints, including some
00:06:54
unused ones sitting in the .exe. So
00:06:57
these are all endpoints, I guess. So,
00:06:58
initialize. This command is used for the
00:07:00
website to check if the software is
00:07:01
installed and returns basic installation
00:07:03
information. Uh, device info. This
00:07:04
returns all installed ASUS software, all
00:07:07
installed CIS drivers, all your hardware
00:07:09
components, and your MAC address, bro.
00:07:11
And again, like this is the weird thing
00:07:14
with diagnostic software or like debug
00:07:16
information. It's like, okay, is this
00:07:19
spyware or is this diagnostics? Again,
00:07:22
I'm an This is why I largely
00:07:24
disable any kind of telemetry from any
00:07:26
piece of software ever. Like Steam wants
00:07:28
to do like, "Oh, can we do like a
00:07:29
hardware survey on your on your computer
00:07:31
to figure out what graphics card you
00:07:32
have?" Absolutely not, Valve. off.
00:07:35
Nope. And then reboot. This reboots
00:07:37
target device immediately without
00:07:38
confirmation. That's that's something.
00:07:41
Oh, and there's an rce button. He So,
00:07:43
just for for the group, right? If you're
00:07:44
if you've lost track, he made this
00:07:46
website. This isn't actually real, but
00:07:48
this is him writing his own website so
00:07:51
that he can interact with the backend
00:07:52
RPC. So, I'm assuming he got rce. Well,
00:07:55
actually the article is literally called
00:07:56
one click rce. So I mean he did, right?
00:07:58
This is a button that enables him to do
00:07:59
it. Okay, log. This returned a zip copy
00:08:02
of all driverhub logs. Install app.
00:08:08
Okay,
00:08:10
this installs an app or driver by its
00:08:12
ID. The ids for all the apps are
00:08:14
hardcoded in an XML file which is
00:08:16
provided by the driverhub installer.
00:08:18
Okay, so there is at least some layer of
00:08:19
sandboxing, right? It's not like, oh,
00:08:21
install app, give it a URL, it'll pull
00:08:24
down an .exe and run the .exe update
00:08:26
app. This self updates driverhub using a
00:08:29
provided file URL to download and run.
00:08:32
Oh, okay. So, like install app doesn't,
00:08:34
but if you want to update driverhub, you
00:08:37
can just give it the URL. Hold on.
00:08:39
Achieving rce. I became fixated on the
00:08:41
update app endpoint for a variety of
00:08:43
reasons. So I spent a few hours
00:08:45
exploring the code in Gedra and hitting
00:08:47
it with various curl requests to learn
00:08:48
the intricacies of how it behaves. A
00:08:50
request to the endpoint looks like this.
00:08:52
Curl the RPC endpoint as v1 update app
00:08:56
raw data list URL driverhub
00:08:58
as.comapp.exe.
00:09:00
Okay. Uh that makes sense. So you're
00:09:02
asking the RPC endpoint to update
00:09:04
driverhub with some application. Okay.
00:09:06
And hopefully they're checking that the
00:09:08
application is signed. Let's see. Here
00:09:10
were the observations I had made about
00:09:11
the update app function at that point.
00:09:13
The URL parameter must contain.asis.com.
00:09:16
But unlike the RPC origin check, it
00:09:18
allows stupidity like example.com
00:09:21
payload.exe fu equalsis.com. Brother
00:09:25
Bill, man. There's no way. There's no
00:09:27
way they're doing like a reax.star re
00:09:29
like a reax for ASUS. I mean, they are,
00:09:32
but that's crazy. It saves a
00:09:35
file with the file name specified at the
00:09:37
end of the URL. Any file with any
00:09:39
extension can be downloaded. Insane. If
00:09:42
the file is an executable signed by
00:09:44
ASUS, it will be automatically executed
00:09:46
with admin permissions. Oh, okay. Signed
00:09:48
by ASUS. Good. That's a good thing. It
00:09:50
will run any executable signed by ASUS,
00:09:52
not just a driver hub installer. That is
00:09:54
weird, you know. I mean, like it makes
00:09:56
sense because like ASUS is the one
00:09:57
running this. So, the privilege boundary
00:09:59
is ASUS, but still weird. If a
00:10:01
downloaded file fails a signing check,
00:10:03
it does not get deleted. Ooh. Ooh. Ooh.
00:10:07
Okay. Hold on. When I learned that
00:10:09
DriverHub validates a signature of the
00:10:11
executable, I suspected an rce may no
00:10:13
longer be possible. However, I soldered
00:10:15
on regardless. Yes, baby, don't let
00:10:17
valid cryptography get in your way.
00:10:18
There are always workarounds. My first
00:10:20
thought was potentially a timing attack
00:10:22
where I tell DriverHub to install a
00:10:24
valid executable and after it validates
00:10:26
a signature, but just before it installs
00:10:28
the .exe, I swap it out with a malicious
00:10:30
executable. Ooh, like a time of check,
00:10:33
time of use in the signing. Interesting.
00:10:36
I theorize this could be possible by
00:10:37
making two app update requests in
00:10:39
parallel with the malicious update being
00:10:41
just after the legitimate one. Yeah,
00:10:43
that's great. However, timing attacks
00:10:45
tax need to be precisely timed and
00:10:47
having that timing being affected by
00:10:48
files needed to be downloaded made it a
00:10:50
very unreliable option. Given that I
00:10:52
decided to take a step back and think if
00:10:54
there were any other options. I mean
00:10:56
this is good though. Like if he could
00:10:58
predict the size of the two files and
00:11:00
figure out what the timing delta was
00:11:02
based on size, he could download the
00:11:04
ASUS signed app and as it was beginning
00:11:07
to run, the other app comes in off the
00:11:09
wire, replaces that application and then
00:11:11
the first thread context executes that
00:11:13
first application, right? It's a
00:11:15
traditional time of check, time of use.
00:11:16
If the access to that first .exe is not
00:11:19
locked, right, with some kind of like
00:11:21
like synchronization primitive, um you
00:11:23
could do that 100%. Obviously, it's
00:11:25
harder to do than what he eventually
00:11:26
found, I'm guessing. But still really
00:11:27
interesting. Eventually, I was led back
00:11:29
to the standalone Wi-Fi driver I was
00:11:31
going to install all along. The driver
00:11:33
was distributed in the following zip
00:11:34
file. Yeah, don't forget guys, this
00:11:36
whole this whole saga was just this guy
00:11:38
trying to figure out a way to get Wi-Fi
00:11:40
to work on his mobile. So, that's that's
00:11:41
pretty crazy. Okay, the files of
00:11:43
importance here are ASUS setup.ini,
00:11:46
silent install.cmd. When executing ASUS
00:11:49
setup, it first reads ASUS setup.ini,
00:11:51
which contains metadata about the
00:11:53
driver. I took interest in a property in
00:11:55
the file, a silent install run. When you
00:11:57
doubleclick ASUS setup.exe, it launches
00:11:59
a simple guey installer thing. But if
00:12:02
you run as setup with the - S flag,
00:12:05
driverhub calls it to do a silent
00:12:07
install. It will execute whatever is
00:12:10
specified in silent install run. In this
00:12:13
case, the any file specifies a command
00:12:15
script that performs an automated
00:12:17
headless install of the driver, but it
00:12:18
could run anything. No way. Okay. Yeah.
00:12:22
Yeah. So what he can do download this
00:12:25
custom ASA setup anything it will run
00:12:28
whatever is in this path. That's nuts.
00:12:30
Okay. So let's go through this. Visit a
00:12:32
website. Yeah. So you have to match
00:12:33
their stupid origin request header
00:12:35
thing. Download via the update app
00:12:37
through the browser the script for as
00:12:40
setup.in and as setup.in will silently
00:12:43
run calc.exe. And when you make that
00:12:46
request it'll pull down a signed file
00:12:48
but it'll also pull down that ini with
00:12:50
admin per with admin permissions. Holy
00:12:52
RCE.
00:12:55
Bada boom. He popped the calc. Crazy
00:12:57
behavior. That's nuts. That is nuts.
00:13:00
Okay. Timeline reporting. We got to give
00:13:01
credit to ASUS. How quickly did they fix
00:13:03
this? So, he found it on April 7th.
00:13:06
Damn. He sees communist time stamps.
00:13:08
It's crazy. Okay. Found the initial bug.
00:13:10
Got the rce. Reported it same day. Good
00:13:12
for him. Automated response from ASUS on
00:13:14
the 9th. 9 days later, he got a
00:13:16
follow-up with the human. Confirmed the
00:13:18
fix the day after. Okay. So, he had a
00:13:20
9-day turnaround. Then he got two. Wow,
00:13:22
two CVEs, one was a 9.4. What's the What
00:13:24
does the actual write up on this? The
00:13:25
issue is limited to motherboards. Feels
00:13:27
weird because this could affect a lot of
00:13:28
other software, but let's see. Let's see
00:13:29
what he has to say. Assessing the
00:13:30
damage. Uh, almost immediately after
00:13:32
reporting the the rce to ASUS, I wrote a
00:13:34
script to track certificate transparency
00:13:36
updates on my VPS to see if anyone else
00:13:38
had registered a domain with the wild
00:13:40
card. Okay. From looking at other
00:13:42
websites with that log, I could see the
00:13:45
domains and subdomains would already
00:13:46
appear in the logs usually within a
00:13:47
month. After a month of waiting, I'm
00:13:48
happy to say that my test domain is the
00:13:50
only website that fits that reax,
00:13:52
meaning it is unlikely that this was
00:13:54
being actively exploited prior to my
00:13:55
reporting of it. Good. That's good to
00:13:56
hear. Kind of scary this probably sat
00:13:58
out for so long, but I'm happy to hear
00:14:00
that nothing uh nothing scary happened.
00:14:02
Bug bounty. I asked ASUS if they offered
00:14:04
bug bounty programs. They responded
00:14:06
saying they do not, but they would
00:14:07
instead put my name in their hall of
00:14:09
fame. This is understandable since ASUS
00:14:11
is just a small startup and like wait, I
00:14:14
thought, isn't ASUS a huge company? Oh,
00:14:17
he's he's being a jokester, bro. Market
00:14:20
cap of nearly $16 billion. And bro got a
00:14:24
shout out. Hold on. And he got a shout
00:14:28
out on the hall of fame. Mr. Bro, April
00:14:31
2025.
00:14:34
You hate to see it, dude. That's crazy
00:14:35
as hell. Fun notes. After publishing the
00:14:38
article, another security researcher
00:14:39
reached out. It turned out that they had
00:14:41
already reported the same origin check
00:14:42
issue back in February, and it took
00:14:43
until now for ASUS to fix it. Oh my god.
00:14:46
Okay, that's significantly worse than I
00:14:48
thought. Asus did not inform me of this,
00:14:50
so it felt a bit bad to be stung like
00:14:51
that. ASUS also solely credited that
00:14:53
security research on CV.Page. Oh, and
00:14:56
they didn't add them to the credit
00:14:57
section. Oh Okay, so he found this
00:14:59
bug but didn't get credit for the CV.
00:15:00
That kind of sucks, man. When submitting
00:15:02
the vulnerability report through ASE's
00:15:03
security advisory form, Amazon
00:15:05
CloudFront flagged the attach pock as a
00:15:08
malicious request and blocked the
00:15:10
submission. Dude, oh my god. some it
00:15:15
just it's just crazy to me that like
00:15:17
this implies that whoever designed this
00:15:19
system to do the bug reporting didn't
00:15:22
test it or they're just not watching
00:15:24
their audit logs. Like both of those are
00:15:27
insane mistakes. So I had to strip some
00:15:29
of the pock code out and link video
00:15:31
recordings instead. Ah man. That's
00:15:32
wild. If you click install all in driver
00:15:34
hub instead of manually clicking install
00:15:35
all on each of their recommended
00:15:37
drivers, it will also install Armory
00:15:38
Crate, ASUS' custom CPUZ, Norton 360,
00:15:42
and WinRAR. Yes, I I literally have
00:15:44
Armory Crate on this computer in my
00:15:46
studio and I'll randomly have Norton
00:15:48
like appear on my computer. I'm like,
00:15:49
"Bro, I don't I don't want Norton. I I
00:15:51
would like to use Windows Defender alone
00:15:53
and Norton still appears and I have to
00:15:55
manually get rid of it every time."
00:15:56
Their CVE description for the RC is a
00:15:58
little misleading. They say, "Yeah, no,
00:15:59
exactly. They had like this this thing.
00:16:01
The issue is limited to motherboards and
00:16:03
does not affect laptops, desktop
00:16:04
computers. However, this affects any
00:16:06
computer, including desktops and laptops
00:16:08
that have driver hub installed." Yeah,
00:16:10
this is not a motherboard issue. This is
00:16:12
nothing to do with motherboards, by the
00:16:13
way. This is literally if you have
00:16:14
driverHub installed, I'm saying hub so
00:16:16
much in this video. Um, you are
00:16:18
affected. Also, instead of them saying
00:16:20
it allows for arbitrary code execution,
00:16:22
they say it allows untrusted sources to
00:16:24
affect system behavior. That's nuts,
00:16:27
dude. It's like back in like 06 when
00:16:29
CVES would come out and it would be like
00:16:31
Cisco IOS9 vulnerable to DOSs by
00:16:35
malformed IPv4 packet. Like, yeah, dude,
00:16:38
it's a DOSs, but like it could also be
00:16:40
rce. You know what I mean? Like, you're
00:16:42
hiding behind this weird verbiage. It's
00:16:43
the same thing here. Like, allowing
00:16:45
untrusted sources to affect your systems
00:16:47
behavior. Yeah, in the form of running
00:16:49
arbitrary binaries, you Like,
00:16:51
holy crap. My onboard Wi-Fi still
00:16:53
doesn't work. I had to buy an external
00:16:55
USB Wi-Fi adapter. Thanks for nothing,
00:16:58
DriverHub. Crazy stuff, guys. Yeah, man.
00:17:00
It's just I have this weird thing about
00:17:03
like UEFI developer people, people that
00:17:05
like make motherboards make this
00:17:07
firmware. In my head, because this stuff
00:17:08
is so complicated, like bootloadaders
00:17:10
and like UFI loaders and stuff, that
00:17:12
stuff is so hard to do. I think
00:17:14
intrinsically I'm like, "Oh, obviously
00:17:16
they're good developers. I mean, they
00:17:18
must know what they're doing." But then
00:17:19
you hear about this stuff and it's like,
00:17:20
okay, they're probably really really
00:17:21
good about telling you of like the
00:17:23
startup sequence for like an x64
00:17:25
processor, but the minute you get into
00:17:27
like security boundary land of like
00:17:29
preventing this Damon from being able to
00:17:31
affect this Damon, it just all that
00:17:33
goes out the window. The fact that it's
00:17:35
doing reax checks on the origin header
00:17:38
as like its main authentication is
00:17:40
crazy. I am impressed that they're doing
00:17:42
binary signing. Like they're checking to
00:17:44
see if the the binary that you download
00:17:46
is signed by ASUS, which like when I saw
00:17:49
this, I'm like, "Oh, okay. It's going to
00:17:50
be a nothing burger." But then this file
00:17:53
can just run arbitrarily anything. It's
00:17:55
just wild to me. Anyway, guys, if you
00:17:57
like these kinds of videos, do me a
00:17:58
favor. Hit that like button, hit
00:17:59
subscribe, and then go check out this
00:18:01
video about an even crazier story that I
00:18:04
once read. We'll see you there. Goodbye.
