Experts found several flaws in Acer and ASUS software preinstalled on most of their PCs that could lead to privilege escalation and arbitrary code execution.

SafeBreach experts discovered several vulnerabilities in Acer and ASUS software that comes pre-installed on most PCs from these vendors. The flaws could be exploited by attackers for privilege escalation and to execute arbitrary payloads.

The first vulnerability, tracked as CVE-2019-18670, affects the Acer Quick Access, an application that makes it fast and easy to adjust the most often used settings. Acer Quick Access provides options to quickly toggle individual wireless devices on or off, change power-off USB charge settings, modify network sharing options, and much more.

Experts discovered that some component of the software runs as “NT AUTHORITY\SYSTEM” and attempt to load three missing DLL files. An attacker with administrator privileges can carry out a DLL hijacking by planting malicious versions of the missing DLLs to get them executed with higher permissions.

“This vulnerability can be used in order to achieve persistence, defense evasion and in some cases privilege escalation by loading an arbitrary unsigned DLL into a service that runs as SYSTEM.” reads the post published by SafeBreach.

“After the Acer Quick Access service started, it executed QAAdminAgent.exe as NT AUTHORITY\SYSTEM. Once the library was loaded, we noticed the service tried to look for 3 missing DLL files in order to load it:”

An attacker could exploit the vulnerability to load and execute malicious payloads using a signed service, it could also achieve persistence because the malicious code would be executed every time the service is executed.

The experts reported the issue to Acer in September 2019, the company addressed it with the release of Acer Quick Access versions 2.01.3028 and 3.00.3009 on October 7th and published an advisory on December 17th.

The second issue, tracked as CVE-2019-19235, affects the ASUS ATK Package and can be exploited by attackers in the post-compromise phase of an attack, to achieve persistence and evade detection,

“ SafeBreach Labs discovered a new vulnerability in the ASUS ATK Package which is pre-installed on ASUS computers.” reads the advisory published by SafeBreach. “We then demonstrate how this vulnerability could have been exploited by an attacker during a post-exploitation phase, in order to achieve persistence and in some cases defense evasion. The exploitation technique involves implanting an arbitrary unsigned executable which is executed by a signed service that runs as NT AUTHORITY\SYSTEM.”

The researchers discovered that it is possible to launch a DLL hijacking attack because the application’s ASLDR Service (AsLdrSrv.exe) attempts to locate missing EXE files before loading the required executable.

Experts pointed out that the ASLDR Service is a signed process that runs at system startup with SYSTEM privileges, an attacker could exploit the issue to run and execute an unsigned executable in the context of the privileged process. The exploitation of the issue could allow attackers to evade detection and to gain persistence.

The CVE-2019-19235 vulnerability was addressed in November with the release of ATK Package 1.0.0061.

Pierluigi Paganini