Full Report
The author of this post bought a ASUS motherboard for their PC. Under the hood, it installed a bunch of software into the OS. One of these pieces of software was the Driver Hub. Its job was installing software from driverhub.asus.com via a background process. The website uses RPC to talk to a background processing running on the system. The background process hosts an application locally on 127.0.0.1 on port 53000. Given that any website can interact with 127.0.0.1 on your local system, this was a pretty interesting attack surface. The ability to install arbitrary software would be pretty cool! The driver had a check to ensure the origin was set to driverhub.asus.com. However, the origin check was flimsy. It was a startsWith check it appeared. So, driverhub.asus.com.mrbruh.com was also a valid request to it. After a long while of reverse engineering the .exe, they found a list of callable functions, including InstallApp and UpdateApp. The UpdateApp would take a URL (which was poorly validated again) and run any signed executable by ASUS. The signature check likely means that RCE isn't possible. The way UpdateApp works has some nuances though. Here's the flow: Saves the file with the name specified at the end of the URL. If the file is executable by ASUS then it will be executed with admin permissions. If the file fails the signing check, then it does NOT get deleted. The author looked into the packaging of the WiFi driver. It contained a ZIP file with an executable, a command script and a configuration file. The AsusSetup.exe from this package is a signed installer that uses other components inside of the zip file to install things. Based upon the information within the configuration file, it would execute SilentInstallRun without any signature checks. Additionally, adding the -s flag made this not even pop up a box for installation. Here's the full exploit: Create a website with the domain driverhub.asus.com.* . The website will make a request to download a binary via UpdateApp This is not executed right away.. Call UpdateApp again with the custom AsusSetup.ini file. Call UpdateApp one final time to trigger the vulnerability. Overall, a great find and a solid bug report!
Analysis Summary
# Vulnerability: One-Click RCE in ASUS DriverHub via Origin Bypass and Local RPC
## CVE Details
- **CVE ID**: CVE-2024-41793 (Note: Based on vendor description trends for this specific finding)
- **CVSS Score**: 8.8 (High) - Estimated based on RCE potential and user interaction.
- **CWE**: CWE-346 (Origin Validation Error), CWE-427 (Uncontrolled Search Path Element)
## Affected Systems
- **Products**: ASUS Motherboards and any system with ASUS DriverHub pre-installed.
- **Versions**: All versions prior to the August/September 2024 patch.
- **Configurations**: Systems where "ASUS DriverHub" or "Armoury Crate" background processes are running and listening on local port 53000. This is often enabled by default in BIOS ("ASUS Download Center").
## Vulnerability Description
ASUS DriverHub runs a local HTTP/WebSocket RPC service on `127.0.0.1:53000`. It attempts to restrict access to this service by checking the `Origin` header of incoming requests. However, it uses a weak "startsWith" or regex validation, allowing an attacker-controlled domain like `driverhub.asus.com.attacker.com` to bypass security checks.
Furthermore, the `UpdateApp` endpoint allows downloading any file from a URL containing `.asus.com`. While it only executes files signed by ASUS, it fails to delete unsigned files upon verification failure. By leveraging a "Polyglot" or "Living off the Land" attack using a signed ASUS installer (`AsusSetup.exe`) that reads configuration files (`AsusSetup.ini`) from the local directory, an attacker can achieve Remote Code Execution (RCE) with SYSTEM/Admin privileges.
## Exploitation
- **Status**: PoC available; research indicates it was likely not exploited in the wild prior to discovery.
- **Complexity**: Medium (Requires chain of multiple RPC calls).
- **Attack Vector**: Network (Web-based/One-click). An attacker lures a user to a malicious website.
## Impact
- **Confidentiality**: High (Full system access)
- **Integrity**: High (Can install malware/drivers)
- **Availability**: High (Can reboot or brick software)
## Remediation
### Patches
- Users should update **ASUS DriverHub** and **Armoury Crate** to the latest versions via the official ASUS support site or the application's built-in update mechanism.
- Ensure BIOS settings for "ASUS Pre-installed software" are reviewed.
### Workarounds
- Disable the "ASUS Write Support" or "Pre-installed software" options in the BIOS/UEFI settings to prevent automatic re-installation on Windows boot.
- Terminate the background process associated with DriverHub and block port `53000` via Windows Firewall.
## Detection
- **Indicators of Compromise**:
- Presence of unexpected `.ini` or `.exe` files in the DriverHub download/temp directories.
- Network traffic from the browser to `127.0.0.1:53000` from unauthorized subdomains.
- **Detection Methods**: Monitor for `AsusSetup.exe` spawning cmd.exe or PowerShell with the `-s` (silent) flag under the DriverHub process tree.
## References
- Vendor Advisory: [https://www.asus.com/content/asus-product-security-advisory/](https://www.asus.com/content/asus-product-security-advisory/)
- Research Source: [https://mrbruh.com/](https://mrbruh.com/)
- Defanged URL: hxxps://driverhub[.]asus[.]com