Critical privilege escalation vulnerability in ASUS laptops with ROG Armoury Crate app installed

A security report published by an Italian researcher notes that the abuse of a severe vulnerability in the ROG Armory Crate hardware management application for ASUS computers would allow users with reduced privileges to execute code with administrator privileges on the compromised system.

This is a solution designed for hardware users who use LED lights and other types of lighting on their computers, something that has become a trend especially in the PC gamer community.

The researcher, identified simply as Federico, discovered this flaw after analyzing the ROG Armory Crate code, which allowed him to find a DLL hijacking error with which a conventional user could execute code with SYSTEM privileges after injecting a specially crafted file into a directory used by the application.

Analyzing the Process Monitor boot logs, the researcher noticed that Armory Crate v4.2.8 was calling a DLL file from a folder within C:\ProgramData\, a folder that any Windows 10 user can write to without using an administrator password or other type of privilege on the system. The vulnerability was tracked as CVE-2021-40981, although it has not yet received a Common Vulnerability Scoring System (CVSS) score.

Although the exploitation of this flaw is trivial, the consequences of a potential attack are considerably low. Among the main risks derived from this flaw are malware infections to mine cryptocurrency or arbitrary manipulation of the affected hardware.

On this flaw, the researcher mentions that this kind of software is poorly designed in terms of cybersecurity: “Usually these products are not designed with security in mind. It’s not a criticism just for ASUS, the entire industry engages in the same practices.”

The latest version of Armory Crate (v4.2.10) includes a fix for this vulnerability and was released just a couple of weeks after ASUS received the report. The company has already received some requests for information from the cybersecurity community, though ASUS hasn’t mentioned anything about it.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.