Skip to content

Pwning ASUS DriverHub, MSI Center, Acer Control Centre and R... #1645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
carlospolop merged 2 commits into from
Dec 16, 2025
Merged

Pwning ASUS DriverHub, MSI Center, Acer Control Centre and R... #1645

carlospolop merged 2 commits into from
Dec 16, 2025

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Dec 7, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://sensepost.com/blog/2025/pwning-asus-driverhub-msi-center-acer-control-centre-and-razer-synapse-4/
  • Blog Title: Pwning ASUS DriverHub, MSI Center, Acer Control Centre and Razer Synapse 4
  • Suggested Section: 🪟 Windows Hardening -> Windows Local Privilege Escalation (new subsections on: 1) Browser-to-localhost CSRF against privileged HTTP APIs using weak Origin/host checks; 2) Insecure code-signing verification and certificate-cloning based RCE; 3) TOCTOU in updater/signed-binary execution paths; 4) Abusing custom SYSTEM-level IPC (TCP/named pipes) and misconfigured impersonation levels). Cross-link from 🕸️ Pentesting Web -> CSRF/localhost and from 🔩 Reversing -> Dynamic instrumentation for IPC protocol reverse engineering.

🎯 Content Summary

This article walks through the discovery and exploitation of multiple Windows vulnerabilities in OEM utilities from ASUS, MSI, Acer, and Razer, focusing on how browser ↔ localhost bridges, custom IPC protocols, and privileged services are implemented and then abused. All proof‑of‑concept exploits are available in the bloatware-pwn repository 🎁.


ASUS DriverHub – Browser‑to‑localhost RCE (CVE‑2025‑3462, CVE‑2025‑3463)

...

🔧 Technical Details

1. Exploiting Browser→localhost Architectures via Weak Origin/Host Validation.
Many desktop apps, like ASUS DriverHub, expose privileged HTTP APIs on 127.0.0.1 and gate them only by checking the Origin header or a download URL’s host. If those checks use naïve substring logic (e.g., if origin.contains(".asus.com")), an attacker can register domains like exploit.asus.com.attacker.tld and host malicious pages there. When a victim visits the site, their browser sets Origin: http(s)://exploit.asus.com.attacker.tld, which passes the substring check. The attacker can then use fetch or XHR to call sensitive localhost endpoints, such as /asus/v1.0/Reboot or /asus/v1.0/UpdateApp, with crafted JSON bodies to drive installs, reboots, or even arbitrary code execution entirely from the browser.


2. Bypassing “Signed Only” Enforcement by Cloning Certificates when 🤖 Agent Actions

Summary:

  • Expanded abusing-auto-updaters-and-ipc.md with four new subsections covering: browser-to-localhost CSRF against ASUS DriverHub’s HTTP API, certificate-cloning abuse of its UpdateApp endpoint, MSI Center’s TOCTOU race in CMD_AutoUpdateSDK, and insecurity across MSI Center TCP and Acer Control Centre named-pipe IPC (including impersonation-level flips).
  • Added concrete payload examples (fetch/PowerShell, SigThief usage, MSI frame formats) plus guidance on reconstructing proprietary IPC protocols with dnSpy/Wireshark/Frida, linking to relevant HackTricks sections.
  • Updated references to include the SensePost blog and PoC repository.

No other files were modified.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

carlospolop commented Dec 7, 2025

🔗 Additional Context

Original Blog Post: https://sensepost.com/blog/2025/pwning-asus-driverhub-msi-center-acer-control-centre-and-razer-synapse-4/

Content Categories: Based on the analysis, this content was categorized under "🪟 Windows Hardening -> Windows Local Privilege Escalation (new subsections on: 1) Browser-to-localhost CSRF against privileged HTTP APIs using weak Origin/host checks; 2) Insecure code-signing verification and certificate-cloning based RCE; 3) TOCTOU in updater/signed-binary execution paths; 4) Abusing custom SYSTEM-level IPC (TCP/named pipes) and misconfigured impersonation levels). Cross-link from 🕸️ Pentesting Web -> CSRF/localhost and from 🔩 Reversing -> Dynamic instrumentation for IPC protocol reverse engineering.".

Repository Maintenance:

  • MD Files Formatting: 914 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@carlospolop
Copy link
Collaborator Author

carlospolop commented Dec 16, 2025

merge

@carlospolop carlospolop merged commit 422ff97 into master Dec 16, 2025
@carlospolop carlospolop deleted the update_Pwning_ASUS_DriverHub__MSI_Center__Acer_Control_Ce_20251207_124650 branch December 16, 2025 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop