ASUS ROG BIOS Reset on Lost Battery Power

Update 1: My ASUS laptop is ASUS ROG Zephyrus M GM501GS-EI027T. I’m using the latest BIOS version which is 313 (according to the latest version dated 08/30/2019)

Update 2: Given a CVE-2019-18216

Update 3: ASUS security team gave me the patch for the BIOS vulnerability I posted here and the patch works. I cannot reproduce the vulnerability using the previous technique described below. Thank you to the ASUS security team for a quick response to this vulnerability. Kudos!

A few months ago, I was traveling abroad and brought my superpower laptop, ASUS ROG GM501GS. At that time I departed from Jakarta, I don’t remember how many percents the battery in the laptop, when I arrived at the destination, the laptop was turned off.

Surprisingly, when the charger was plugged in, and the laptop was turned on, the BIOS configuration was reset. I knew when the laptop was turned on, the sound of the ASUS logo whizzing out again (I’ve turned off this configuration in the BIOS).

The laptop was boot normally, then I restarted it again to validate that the BIOS configuration’s correct. And it’s true, the BIOS configuration was reset, maybe because the battery was empty. If the BIOS doesn’t use a separated battery it makes security configuration and BIOS protection useless. Whereas in the BIOS configuration, we can prevent someone from booting using USB, protect the BIOS configuration with a password, configure the system to not boot without entering a password, including the virtualization feature, etc.

After coming from abroad, I made time to reproduce the behavior; this is what I did:

  1. Make sure the battery is in low condition, then access into the BIOS to make a change and save the configuration. The change in configuration can be anything. For example, I turn off the ASUS logo boot audio chime (this is just a sign for me). If the BIOS is reset, the ASUS logo boot audio will chime.
  2. Once configured, boot normally to the operating system.
  3. Use the laptop until it turns itself off; don’t do work things, remember if the system goes down anytime, your data would be lost.
  4. When the battery is completely discharged, plug in the charger, then turn on the laptop and let it boot normally into the operating system.
  5. After normal boot, unplug the charger and leave the laptop turned off until run out of battery. Make sure the operating system isn’t configured in power saving mode to save the battery.
  6. After dead for the second time, try pressing the power button repeatedly to make sure the laptop cannot start.
  7. Wait for about 30 minutes, then plug the charger again, then immediately press the power button.
  8. At this time, the laptop keyboard will light up, the laptop will restart many times, and in the end the ASUS logo boot audio sound will be chime. The chime indicates that the BIOS has been reset.
  9. If it didn’t work, repeat the steps above.

Earlier this week I contacted the ASUS security team and they responded that this was normal. Apparently the power source for the BIOS uses the same battery as the main battery and they told me that it is a new design.

I argue with the ASUS team that in my opinion, this is a vulnerability because the BIOS security configuration is made for security reasons. If this laptop is stolen (with a BIOS security configuration installed), then without the need to disassemble/remove the hard disk, the attacker can easily access the hard disk with USB.

ASUS security team accepts this and will improve the BIOS design in the future. Hopefully this can bring improvements to other laptop maker.

If there are friends and colleagues who use this ASUS ROG GM501GS,
make sure that the laptop battery is always in full condition. Do not travel using this laptop if the battery is low.

For companies, it’s best to use a laptop that has a BIOS battery configuration separate from the main battery to prevent losing the security configuration in the BIOS.

Picture taken from https://www.cnet.com/reviews/asus-rog-zephyrus-m-gm501-review/

PC Media Antivirus Insecure Library Loading Vulnerability

PC Media Antivirus (PCMAV) is an antivirus made by famous Indonesia computer magazine PCMedia . PCMAV is quite popular in 2006 since many virus creators in Indonesia actively spread a computer virus and infecting most computers in Indonesia. At that time some people start to claim a special anti-virus to detect Indonesia computer viruses, some of which are popular such as SmadAV, PC Media Antivirus (PCMAV), and AnsAV (edit: can’t find any official links).

Until now, PCMAV is still a popular antivirus used on most computers in Indonesia. PCMAV usually installed alongside with another popular free antivirus such as Avast, AVG, or Avira Antivir. In some companies, PCMAV is also a mainstay for detecting viruses made in Indonesia.

Antivirus is an endpoint protection to detect malicious programs from outside the computer, so the antivirus should be made with good protection, well flow design, and it should not vulnerable, thus cannot be exploited.

Proof of concept in antivirus product has been researched since a few years ago. Some well-known antivirus cannot survive and suffer from exploitation, thus bringing the risk to computer users.

This time, Spentera brought PCMAV antivirus to our garage to be tested. As a result, PCMAV suffers Insecure Library Loading vulnerability, also known as DLL Hijacking. The vulnerability works as a common DLL Hijacking technique, that an attacker can “introduce” his/her own DLL to be loaded by the vulnerable software. But in this case, it becomes more interesting. Since PCMAV made as portable, users can install PCMAV without installation, it is of course to make it easier to the users.

With the DLL Hijacking vulnerability in PCMAV, it becomes more dangerous. Since the attacker can “introduce” his/her .dll, PCMAV will automatically load the dll without confirmation. So hey, what is the problem?! I can’t get it. Well, let say you create your own DLL to execute another backdoor, listening on port with a command prompt serve you later. Very dangerous isn’t it?!

To be more clear, let us see how the action of this DLL Hijacking on PCMAV.

We can download the latest PCMAV from their website (at the time of writing, this link works and that was the current version): http://virusindonesia.com/2012/11/23/pc-media-112012-pcmav-8-4-raptor/. Now, if we analyzed using Process Monitor, PCMAV load several DLLs, but there is one interesting here.

The svrapi.dll is introduced by PCMAV itself. The svrapi.dll is a common Microsoft Common Server API Library, it is a system process that is needed to work properly. Because it is introduced by PCMAV, we can also introduce our (malicious) svrapi.dll.

Metasploit has the capability to generate malicious DLL, here is the way to create a DLL that can spawn a reverse shell to our machine.

Once created, we just simply put this malicious svrapi.dll into PCMAV’s root directory, the same path as the executable (PCMAV.EXE). Since our prep is complete, now we setup our meterpreter listener in our machine.

Our friend, Tom was asking a good antivirus to detect Ramnit. We put Tom on the test, we give him our modified PCMAV, with our DLL introduced in the root directory. When the package has been delivered to our good friend, Tom, he should be happy because he will get his computer cleaned with PCMAV antivirus. But unfortunately we change the story, Tom executed the PCMAV.EXE, and soon our svrapi.dll get loaded, and not so long, our meterpreter handler receives a connection.

We got our shell and Tom is happy because PCMAV is still scanning his system properly.

Moral of the story: DO NOT trust any files comes from external removable media, even from your trusted friend. Download it from original source (if any).

Note: Tom still doesn’t know about this.. psst..