It tries to load a file from a location any old user can write to
A flaw in ASUS’s ROG Armoury Crate hardware management app could have allowed low-privileged users to execute code as administrator.
The now-patched privilege escalation vulnerability was uncovered by “Federico” from Italian hacker collective APTortellini.
Federico discovered the vuln after taking a close look at ROG Armoury Crate, finding a DLL hijacking vuln that allowed ordinary users to execute code with SYSTEM privileges after pasting a crafted file into a directory used by the app.
The software is intended for use by gamers who put LED lights and customisable illumination all over their hardware, a strange practice from people you’d expect to be gazing intently at the screen instead of the box powering it.
Analysing boot logs from Process Monitor allowed Federico to see that Armoury Crate version 4.2.8 was calling a DLL file from a folder inside C:\ProgramData\, a folder which ordinary users on a Windows 10 PC can write to without requiring an admin password or any other escalated privileges.
Tracked as CVE-2021-40981, the vuln has not yet received a public CVE score.
“This kind of software is usually poorly designed from a security perspective – not shaming ASUS here, it’s just a matter of fact as gaming software is usually not designed with security in mind, it has to be flashy and eye-catching – so I ended up focusing my effort on this particular piece of software,” commented Federico.
- Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn’t fix even after 5 years
- Frustrated dev drops three zero-day vulns affecting Apple iOS 15 after six-month wait
- Break out your emergency change process and patch this ransomware-friendly bug ASAP, says VMware
- Fix network printing or keep Windows secure? Admins would rather disable PrintNightmare patch
The vuln boiled down to the application loading a DLL without any checks, with Federico noting in his description of the exploit: “We will go with a simple DLL which will add a new user to the local administrators.”
The latest version of Armoury Crate, 4.2.10, fixed the flaw. The time to remediation was notably short: it took just 18 days between the vuln being reported and patched, with the fix being incorporated in the company’s next scheduled update run for Armoury Crate.
ASUS has been asked for comment. We will update this article if the hardware manufacturer responds.
While its software was vulnerable to the exploit Federico described, the level of access required to exploit it means its potential impact would be relatively low – though gaming PCs, and PCs used by those in the gaming industry, have long been targets for cryptocurrency mining malware among other nasties.
DLL-bound privesc vulns of the sort found by Federico are relatively common. Last year EA Games’ Origin client, used by millions of gamers worldwide, was found to contain an identical vuln that was discovered in an identical way with Procmon. Dell also ‘fessed up to its SupportAssist program containing a similar flaw. ®