Summary of How’d They Let This Happen?

The video investigates a critical remote code execution (RCE) vulnerability found in ASUS’s pre-installed driver software, specifically within the DriverHub utility bundled with ASUS motherboards. The presenter, who had personal experience with ASUS hardware, explores how DriverHub operates by running a local RPC (Remote Procedure Call) service that communicates with a website to manage driver installations and updates.

Key points covered include:

• Background and Initial Concerns:
  The presenter bought a new ASUS motherboard despite previous bad experiences and was wary of the BIOS silently installing software on Windows. DriverHub automatically requests admin permissions upon login to install drivers, which raised security concerns.
• Technical Analysis of DriverHub:
  DriverHub runs a local HTTP/websocket RPC daemon accessible from the browser at localhost, which the website uses to query and control driver installations. The daemon relies on checking the HTTP origin header to authenticate requests but uses a flawed wildcard pattern, allowing attackers to bypass origin checks and send arbitrary commands.
• Vulnerability Discovery:
  The presenter confirmed that by manipulating the origin header, an attacker could interact with the RPC daemon without proper authentication. The daemon exposes multiple endpoints, including ones that reveal device info, reboot the system, install or update apps, and critically, execute code.
• Remote Code Execution (RCE) Mechanism:
  Although the update mechanism requires executables to be signed by ASUS, the attacker found a way to exploit the silent installation process of a legitimate ASUS Wi-Fi driver. This process runs scripts specified in an INI file during silent installs, allowing arbitrary commands to be executed with admin privileges. By chaining the download of a signed executable and a malicious script, the attacker achieved one-click RCE.
• ASUS’s Response and Timeline:
  The vulnerability was reported on April 7th, with an automated response on April 9th and a fix confirmed shortly after. Two CVEs were issued, one with a high severity score (9.4). However, ASUS’s public advisories downplayed the issue by restricting it to motherboards and using vague language like “untrusted sources affecting system behavior,” which the presenter criticized as misleading.
• Additional Insights and Criticism:
  The presenter noted that the vulnerability affects any system with DriverHub installed, regardless of hardware type. He also criticized ASUS for poor security design choices, such as relying on origin header checks for authentication and the lack of a bug bounty program (instead, ASUS offers a hall of fame mention). Furthermore, another researcher had reported a related issue months earlier, but ASUS took a long time to address it and did not credit that researcher.
• Personal Impact and Broader Implications:
  The presenter ended up using an external USB Wi-Fi adapter because the onboard Wi-Fi driver was problematic. He expressed disappointment that despite the complexity of UEFI and firmware development, fundamental security practices were neglected. The video closes by encouraging viewers interested in cybersecurity and programming fundamentals to learn more.

Presenters/Contributors:

• The main presenter (unnamed, likely a tech/security content creator)
• Mention of another unnamed security researcher who previously reported a related issue

Category

News and Commentary

Video