asus rce 2

Hello folks! Today I want to talk about ASUS RCE vulnerability on rma.asus-europe.eu domain.

I was trying to fill out service apply form for my personal laptop. I had a screen issue.

I realised that there is an upload part to upload some warranty documents.

I was trying to bypass upload restrictions by editing request.

I couldnt figure it out but it happened very fast! Because interestingly, Asus didn’t implement serious restrictions on upload part. Most of the rules were on front end part which are easy to bypass.

Thanks to burp and our old null byte friend, I was able to bypass all upload restriction.

asus rce request 2

The next mission was to find upload directory. I need to say thanks to ASUS developers, they helped me a lot. The directory was /uploads which is very easy to predict.

Achievement unlocked! – ASUS RCE 

It is Microsoft-IIS 8.5, help me ASP!

I used a very basic asp rce script for Microsoft-IIS 8.5 and it worked like a charm!

asus rce 4

I did not want to go further and quickly sent an email to the security@asus.com but they didnt give a shit for a while.

After that they just fixed the issues and close it. There were no response to me.

I sent lots of mails about issue and they decided to add my name on HoF list.

But they didnt lol. I was need to create huge email traffic to do so.

ASUS acts very rude about security, I am not happy.

But finally, I’ve added HoF list by ASUS.