From Hunting for a Laptop to Hunting down Remote Code Execution

Anil Tom
Anil Tom
Dec 27, 2018 · 4 min read

Hello guys, this is Anil back with another write-up on my bug hunting adventures. This time I helped out Asus. :)

It was another ordinary day that I came home from office and was chatting with my roommates, when one of my friends called up and told he wanted to buy a new laptop and needed some suggestions. So I went online and began hunting for laptops that met his requirements. I was reading about one of the Asus RoG models, when suddenly the Bug Hunter in me woke up and I asked myself why I shouldn’t Recon the Asus website.

Image for post
Image for post

So I began my recon of the website, and spent a whole night looking for a bug on their main domain and did not find anything…

Image for post
Image for post

The next day morning I went to my office, but my mind was still on the Asus bug hunt. That evening I got a notification on my mobile that there was an update for the Termux app. And suddenly my Bug Hunter senses tingled, and I thought, “Why don’t you run a sublister against asus.com on the mobile?”

Image for post
Image for post

I randomly selected one of Asus’ sub-domains, specifically http://stw.asus.com/ and was greeted by this page

Image for post
Image for post

After seeing this page I felt confident that they were running Microsoft server. It was 5.30 then, so I shutdown my PC and went back to home. Once there, I took my laptop and opened the website. Recalling that a few days prior one of my 1337 friend Rahul had told me about the WEBDAV REMOTE CODE EXECUTION Bug, I decided to check for it.

Aside, What is WEBDAV?

Web Distributed Authoring and Versioning ( WebDAV ) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations. WebDAV is defined in RFC 4918 by one of the Internet Engineering Task Force group

I began to check whether WebDAV was enabled. and tried to Add a network location from my laptop to the website

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Now usually when I trying connecting to something that I don’t have access to, it always shows an irritating pop-up, like this one:

Image for post
Image for post

But when I tried it with http://stw.asus.com/ it proceeded to the next step:

Image for post
Image for post

Yes! It connected, and at that time I was like

Image for post
Image for post

I completed the addition of the network location, opened the folder, created a new file and saved it:

Image for post
Image for post

Then I opened that file in the web browser and saw this:

Image for post
Image for post

At that time I was like:

Image for post
Image for post

Following this, I made a PoC video and reported it to the Asus team.

Timeline

May 02 Reported the Issue

May 03 Initial Reply

May 07 Fixed and HOF approved for May 2018

Jun 02 Listed in HOF

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store