Deadupdate, CVE 2016-3966
DeadUpdate is the name I gave to a vulnerablity, CVE2016-3966, which allowed
for relatively simple escalation from an untrusted external HTTP request to full
blown NT Authority\SYSTEM
access, BIOS reflashing, or driver installation.
The short of it is that:
- Asus shipped “LiveUpdate” on a bunch of machines
- LiveUpdate was intended to deliver BIOS updates and such
- It uses no authentication and the HTTPS endpoint didn’t work at the time
- The trivial obfuscation on XML documents was easy to get around via 404
- If you can intercept the LiveUpdate request, you can deliver Evil Payloads
I delivered a proof of concept and description. I was not explicitly granted the CVE, as Duo Security published bare days before I did, since I went through the longer process of attempting to contact Asus instead of going Full Disclosure.