ASUSpicious Flaw - Millions of Users’ Information Exposed Since 2022 Please note that it’s not particularly suspicious, it just made for a good play-on-words title. Introduction What do most people do when they’re mistreated by a multi-billion dollar company after reporting a zero-day RCE to them? Certainly not find another zero-day exploit, but that’s exactly what I ended up doing. Read part one of this series on ASUS here. I had recently spent a lot of hours trawling through decompiled C/C++ code in part one so I wanted something a little easier to read. This meant looking for executables made using C# since its decompilation creates a near perfect replica of the original code including file, function and variable names. After running a bash script to search for .net executables using the file command, I made a shortlist of about 10 files that piqued my interest. After examining the source code of them I found two that looked interesting, AsusSSO.dll and AsusAPI.dll used in their MyAsus software. Finding hard-coded credentials When examining these I noticed they both contained encrypted hard coded values that were decrypted on the fly, and after isolating the decryption functions I asked ChatGPT to port it to Python so I could decrypt values independently of the DLL which ChatGPT managed to successfully replicate on its second attempt. AsusAPI.dll encryption algorithm: AsusSSO.dll encryption algorithm: After decrypting some of these values and reading over some of the functions using them I came to the conclusion that these were authorisation credentials and tokens for use with their API. My main concern was that these encrypted credentials may have unnecessarily permissive scopes that could facilitate malicious use if put in the wrong hands. This turned out to be true as the hard coded credentials had administrator level / unrestricted permissions that could be abused to access the information of any ASUS account. The Exploitable Endpoints Here is a list of the d...
First seen: 2025-06-24 09:11
Last seen: 2025-06-24 16:12