The video reveals a critical security flaw in ASUS’s pre-installed DriverHub software that allows attackers to execute arbitrary code with admin privileges due to flawed origin validation in its local RPC service. Despite ASUS quickly patching the issue after responsible disclosure, the video highlights broader concerns about insecure design choices, poor bug reporting processes, and unwanted bundled software compromising user security.
The video explores a critical security vulnerability found in ASUS’s pre-installed driver software, DriverHub, which comes with ASUS motherboards. The creator begins by sharing personal frustrations with ASUS hardware but admits to purchasing another ASUS motherboard, prompting an investigation into potential security risks. Upon logging into Windows, the creator notices DriverHub automatically requesting admin permissions to install drivers, raising concerns about how the BIOS silently installs software without explicit user consent. This behavior, while allowed due to BIOS’s low-level access, is unsettling because it can lead to unauthorized software installations.
Digging deeper, the creator examines how DriverHub communicates with its website using a local RPC (Remote Procedure Call) daemon accessible via HTTP on the local machine. This design choice immediately raises red flags because if the RPC service is not properly secured, it could be exploited by attackers to execute malicious commands. The creator tests the system and discovers that the RPC daemon only accepts requests with an origin header set to driverhub.asis.com, but this check is flawed due to wildcard matching, allowing malicious origins to bypass restrictions. This vulnerability essentially opens the door for remote code execution (RCE).
Further analysis reveals several callable endpoints in the RPC service, including commands to reboot the device, retrieve device info, install or update applications, and even execute arbitrary code. The most concerning endpoint is the “update app” function, which downloads and runs executables signed by ASUS with admin privileges. Although the signature check initially seemed to mitigate risk, the creator finds a way to exploit the silent install feature of a Wi-Fi driver package. By manipulating the update process, an attacker can run arbitrary scripts with admin rights, achieving one-click RCE on the system.
The creator responsibly reports the vulnerability to ASUS on April 7th, and ASUS responds promptly, fixing the issue within about ten days and issuing two CVEs with high severity scores. Despite the quick patch, the creator notes that another researcher had reported a similar origin check flaw months earlier, but ASUS delayed the fix and did not credit that researcher properly. The video also highlights ASUS’s problematic bug reporting system, which flagged the vulnerability report as malicious, complicating disclosure. Additionally, the creator criticizes ASUS for bundling unwanted software like Norton 360 and WinRAR through DriverHub, which installs these programs without clear user consent.
In conclusion, the video underscores the dangers of insecure design choices in low-level system software like motherboard drivers. While ASUS’s use of binary signing is a positive security measure, the flawed origin validation and the ability to silently execute arbitrary scripts expose users to significant risks. The creator expresses disappointment that such a major company overlooked basic security principles, emphasizing the importance of fundamental computer knowledge for developers. The video ends with a call to viewers to stay informed about security issues and to be cautious about pre-installed software on their systems.