ASUS fixes ROG Armory Crate after discovery of security breach • The Register
A flaw in ASUS ‘ROG Armory Crate hardware management application could have allowed underprivileged users to run code as an administrator.
The now fixed privilege escalation vulnerability was discovered by “Federico” of the Italian hacker collective APtortellini.
Federico discovered the vulnerability after taking a close look at ROG Armory Crate, finding a DLL hijacking vulnerability that allowed ordinary users to run code with SYSTEM privileges after pasting a specially crafted file into a directory used by the application. .
The software is aimed at gamers who put LED lights and customizable lighting on all of their hardware, an odd practice from people who you’d expect to look intently at the screen instead of the box that powers it.
Analyzing the Process Monitor startup logs, Federico saw that Armory Crate version 4.2.8 was calling a DLL file from a folder in C: ProgramData , a folder in which ordinary users on a Windows 10 PC can write without requiring an administrator password or any other escalated privilege.
Tracked as CVE-2021-40981, the vuln has not yet received a public CVE score.
“This type of software is generally poorly designed from a security perspective – I’m not shaming ASUS here, it’s just a question of fact as gaming software is generally not designed with security in mind. wit, they have to be flashy and eye-catching – so I’m done focusing my efforts on this particular software, ”commented Federico.
The vulnerability came down to loading a DLL by the application without any control, with Federico noting in his description of the exploit: “We will use a simple DLL which will add a new user to the local administrators.”
The latest version of Armory Crate, 4.2.10, fixed the flaw. The remediation time was particularly short: it only took 18 days from the vulnerability report to the remediation, with the fix being incorporated into the company’s next scheduled update for Armory Crate.
ASUS has been invited to comment. We will update this article if the hardware manufacturer responds.
While its software was vulnerable to the exploit described by Federico, the level of access required to exploit it means that its potential impact would be relatively small – although gaming PCs and PCs used by industry players games have long been the target of cryptocurrency mining malware. among other villains.
Private DLL vulnerabilities such as those found by Federico are relatively common. Last year EA Games’ Origin client, used by millions of gamers around the world, was found to contain an identical vuln which was similarly discovered with Procmon. Dell has also acknowledged its SupportAssist program containing a similar flaw. ®