Deadupdate, CVE 2016-3966

DeadUpdate is the name I gave to a vulnerablity, CVE2016-3966, which allowed for relatively simple escalation from an untrusted external HTTP request to full blown NT Authority\SYSTEM access, BIOS reflashing, or driver installation.

The short of it is that:

  • Asus shipped “LiveUpdate” on a bunch of machines
  • LiveUpdate was intended to deliver BIOS updates and such
  • It uses no authentication and the HTTPS endpoint didn’t work at the time
  • The trivial obfuscation on XML documents was easy to get around via 404
  • If you can intercept the LiveUpdate request, you can deliver Evil Payloads

I delivered a proof of concept and description. I was not explicitly granted the CVE, as Duo Security published bare days before I did, since I went through the longer process of attempting to contact Asus instead of going Full Disclosure.