From Hunting for a Laptop to Hunting down Remote Code Execution

Hello guys, this is Anil back with another write-up on my bug hunting adventures. This time I helped out Asus. :)

It was another ordinary day that I came home from office and was chatting with my roommates, when one of my friends called up and told he wanted to buy a new laptop and needed some suggestions. So I went online and began hunting for laptops that met his requirements. I was reading about one of the Asus RoG models, when suddenly the Bug Hunter in me woke up and I asked myself why I shouldn’t Recon the Asus website.

So I began my recon of the website, and spent a whole night looking for a bug on their main domain and did not find anything…

The next day morning I went to my office, but my mind was still on the Asus bug hunt. That evening I got a notification on my mobile that there was an update for the Termux app. And suddenly my Bug Hunter senses tingled, and I thought, “Why don’t you run a sublister against asus.com on the mobile?”

I randomly selected one of Asus’ sub-domains, specifically http://stw.asus.com/ and was greeted by this page

After seeing this page I felt confident that they were running Microsoft server. It was 5.30 then, so I shutdown my PC and went back to home. Once there, I took my laptop and opened the website. Recalling that a few days prior one of my 1337 friend Rahul had told me about the WEBDAV REMOTE CODE EXECUTION Bug, I decided to check for it.

Aside, What is WEBDAV?

Web Distributed Authoring and Versioning ( WebDAV ) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations. WebDAV is defined in RFC 4918 by one of the Internet Engineering Task Force group

I began to check whether WebDAV was enabled. and tried to Add a network location from my laptop to the website

Now usually when I trying connecting to something that I don’t have access to, it always shows an irritating pop-up, like this one:

But when I tried it with http://stw.asus.com/ it proceeded to the next step:

Yes! It connected, and at that time I was like

I completed the addition of the network location, opened the folder, created a new file and saved it:

Then I opened that file in the web browser and saw this:

At that time I was like:

Following this, I made a PoC video and reported it to the Asus team.

Timeline

May 02 Reported the Issue

May 03 Initial Reply

May 07 Fixed and HOF approved for May 2018

Jun 02 Listed in HOF