One-Click RCE in Asus's Preinstalled Driver Software

523 点作者 MrBruh14 天前

23 条评论

Responsible Disclosures and their consequences have been a disaster for the human race. Companies need to feel a lot more pain a lot more often in order for them to take the security of their customers a lot more serious. If you just give them month to fix an issue and spoon-feed them the solution it's just another ticket in their Backlog. But if every other security issue becomes enough news online that their CEOs are involved and a solution must be find in hours not month, they will become a lot more proactive. Of course it's the end users that would suffer most from this. But then again, they buy ASUS so they suffer already...

评论 #43953220 未加载

评论 #43952444 未加载

评论 #43952585 未加载

评论 #43952403 未加载

评论 #43952959 未加载

评论 #43953183 未加载

评论 #43952758 未加载

评论 #43957675 未加载

评论 #43955767 未加载

评论 #43954076 未加载

评论 #43962299 未加载

Gys14 天前

> I asked ASUS if they offered bug bounties. They responded saying they do not, but they would instead put my name in their “hall of fame”. This is understandable since ASUS is just a small startup and likely does not have the capital to pay a bounty.:(

评论 #43952600 未加载

评论 #43952523 未加载

评论 #43952584 未加载

评论 #43959294 未加载

GuestFAUniverse14 天前

Doesn't surprise me. Their software sucks and security wise they are repeat offenders considering the lack of prevention.<a href="https://www.techspot.com/news/95425-years-gigabyte-asus-motherboards-carried-uefi-malware.html" rel="nofollow">https://www.techspot.com/news/95425-years-gigabyte-asus-moth...</a><a href="https://www.reddit.com/r/ASUS/comments/tg3u2n/removing_bloatware/" rel="nofollow">https://www.reddit.com/r/ASUS/comments/tg3u2n/removing_bloat...</a><a href="https://www.reddit.com/r/ASUS/comments/ojsq80/nahimic_service_it_caused_a_lot_of_problems_with/" rel="nofollow">https://www.reddit.com/r/ASUS/comments/ojsq80/nahimic_servic...</a>

评论 #43952414 未加载

antmldr14 天前

>so I could see if anyone else had a domain with driverhub.asus.com.* registered. From looking at other websites certificate transparency logs, I could see that domains and subdomains would appear in the logs usually within a month. After a month of waiting I am happy to say that my test domain is the only website that fits the regex, meaning it is unlikely that this was being actively exploited prior to my reporting of it.This only remains true in so far as no-one directly registered for a driverhub subdomain. Anyone with a wildcard could have exploited this, silent to certificate transparency?

评论 #43952423 未加载

评论 #43952619 未加载

评论 #43952527 未加载

评论 #43959413 未加载

satyanash14 天前

> MY ONBOARD WIFI STILL DOESN’T WORK, I had to buy an external USB WiFi adapter. Thanks for nothing DriverHub.All this, for literally nought

评论 #43953089 未加载

评论 #43952883 未加载

josephcsible14 天前

> When submitting the vulnerability report through ASUS’s Security Advisory form, Amazon CloudFront flagged the attached PoC as a malicious request and blocked the submission.Reminder that WAFs are an anti-pattern: <a href="https://thedailywtf.com/articles/Injection_Rejection" rel="nofollow">https://thedailywtf.com/articles/Injection_Rejection</a>

liendolucas14 天前

> This is understandable since ASUS is just a small startup.A small startup with a marketcap of only 15 B. What is more than understandable is that you give a shit not only about your crappy products but the researcher that did a HUGE work for your customers.I truly feel bad for researchers doing this kind of work only to get them dismissed/trashed like this. So unfair.The only thing that is ought to be done is not to purchase ASUS products.

rkagerer14 天前

I asked ASUS if they offered bug bounties. They responded saying they do not, but they would instead put my name in their “hall of fame”. This is understandable since ASUS is just a small startup[1] and likely does not have the capital to pay a bounty.[1]: <a href="https://companiesmarketcap.com/asus/marketcap/" rel="nofollow">https://companiesmarketcap.com/asus/marketcap/</a>

评论 #43956148 未加载

sigmaisaletter14 天前

Obligatory "Scumbag Asus" video link:Invidious <a href="https://inv.nadeko.net/watch?v=cbGfc-JBxlY" rel="nofollow">https://inv.nadeko.net/watch?v=cbGfc-JBxlY</a>YouTube <a href="https://youtube.com/watch?v=cbGfc-JBxlY" rel="nofollow">https://youtube.com/watch?v=cbGfc-JBxlY</a>"ASUS emailed us last week (...) and asked if they could fly out to our office this week to meet with us about the issues and speak "openly." We told them we'd be down for it but that we'd have to record the conversation. They did say they wanted to speak openly, after all. They haven't replied to us for 5 days. So... ASUS had a chance to correct this. We were holding the video to afford that opportunity. But as soon as we said "sure, but we're filming it because we want a record of what's promised," we get silence."Edit: formatting

评论 #43952762 未加载

评论 #43952381 未加载

IshKebab14 天前

Wow, no bug bounty is insane. No more ASUS products for me...

评论 #43952184 未加载

评论 #43952166 未加载

sebstefan13 天前

>DriverHub only responded to requests with the origin header set to “driverhub.asus.com”. So at least this software wasn’t completely busted and evil hackers can’t just send requests to DriverHub willy-nilly.>When I switched the origin to driverhub.asus.com.mrbruh.com, it allowed my request.One more CVE to developers validating URLs in some silly wayYour language comes with a URL parser. Use it! You can't handle all the edge cases of the URL format by yourself.<pre><code> if ((new URL("https://user:password@driverhub.asus.com/whatever?q=whatever#whatever")).hostname === "driverhub.asus.com") { ... }</code></pre>

notorandit13 天前

> This is understandable since ASUS is just a small startup and likely does not have the capital to pay a bounty.ASUS is not a small startup. It simply and only minds the money they suck FROM customers. There is no other way around to push money TO customers.But the real point is: how much would be worth selling such an exploit to a malicious agent? Likely more than USD 0.00.But then again, ASUS doesn't mind about that. Sad truth.

评论 #43979340 未加载

cobalt6014 天前

MY ONBOARD WIFI STILL DOESN’T WORK, I had to buy an external USB WiFi adapter. Thanks for nothing DriverHub.I feel sorry for this guy, having deviated from the original issue. Though it'd only took a couple of seconds to note the WLAN chipset from specs or OEM packaging and then heading to station-drivers.This was also the very reason I dislike Asus, I don't want a BIOS flag/switch that natively interact with a component in OS layer.

rasz13 天前

> When submitting the vulnerability report through ASUS’s Security Advisory form, Amazon CloudFront flagged the attached PoC as a malicious request and blocked the submission.Reminds me of the time I reported SQL disclosure vuln to Vivaldi and their WAF banned my account for - wait for it - 'SQL injection attempt' so hard their admin was unable to unlock it :)

Avamander14 天前

A few of the drivers they install (or want to install) are also on Microsoft's vulnerable actively exploited driver blacklist. So that's fun, they have no intention of fixing it because they do not support "third party software". I'm also pretty sure their installer doesn't work without unencrypted HTTP traffic being let through. Plus they keep offering bloatware as "updates" to you.On top of it all, the software they offer is slow and buggy on brand-new hardware.But most of those issues also exist with AMD's or Gigabyte's drivers, most hardware vendors seem trashy like that. Like, if you install Samsung Magician (for their SSDs) then that even asks you if you're in the EEA (because of the privacy laws I suspect), it's absolutely crazy.Microsoft should make it *significantly* harder to ship drivers outside of Windows Update and they should forbid any telemetry/analytics without consent.I find Linux's hardware support model significantly nicer, although some rarer things do not work OOB, there's none of this bullshit.

评论 #43953642 未加载

评论 #43954112 未加载

评论 #43959047 未加载

ritcgab14 天前

This is really a well written blog post.The practice of "injecting pre-installed software through BIOS" is such a deal-breaker. Unfortunately this seems to be widely adopted by the major players in motherboard market.

tuetuopay13 天前

I still don't understand why vendors like Asus bother developing their own (crappy) driver installation tool. It's always bad, takes developer resources, for something that's handled way better by Windows Update.The cynical me imagines juicy telemetry to sell to advertisers.The realist me imagines time gains by not needing to go through Microsoft's driver update validation process (like companies keep linux drivers out-of-tree to not cleanup their code).It's probably both.

smileybarry14 天前

I like ASUS products but I disable the UEFI-installed support app every single time. IIRC it used to be a full ROG Armory Crate installation, which is really annoying to uninstall.When ASUS acquired the NUC business from Intel, they kept BIOS updates going but at some point a “MyASUS” setup app got added to the UEFI like with their other motherboards. Thankfully, it also had an option to disable and IIRC it defaults to disabled, at least if you updated the BIOS from an Intel NUC version.

serguzest13 天前

It is not just a mainboard issue. I had an asus mechanical keyboard. After I started using it, Windows kept installing software and background services in system that is a listening port. I kept deleted it manually and no matter I did, windows kept installing it without my consent. It was really annoying.

saghm13 天前

I have a similar model motherboard from ASUS in my desktop I had custom built a few years ago, and I've mostly just been annoyed that I have to have Windows installed to be able to even update the BIOS at all given that the previous one I had (which I think was also from them?) would just let me do it over ethernet if I booted directly into the BIOS setup menu. Now I have much larger concerns in addition to the risk of not updating as frequently seeming much larger...

评论 #43959609 未加载

cebert14 天前

I am assuming the timeline posted in this article is a year off, and the author means 2024 instead of 2025.

评论 #43955060 未加载

nexoft14 天前

I've read Acer for some reason, and was surprise and disappointed it is actually Asus.

ikekkdcjkfke14 天前

All our motherboards, the root of trust, are made in Taiwan. All props to their industriousnes and agility but there should be western alterntive in that can be purchased?