Vulnerabilities

Privilege Escalation Flaws Found in Preinstalled Acer, ASUS Software

Vulnerabilities discovered in Acer and ASUS software preinstalled on most PCs from these companies could lead to privilege escalation and the execution of arbitrary payloads, SafeBreach warns.

Ionut Arghire

December 18, 2019

Vulnerabilities discovered in Acer and ASUS software preinstalled on most PCs from these companies could lead to privilege escalation and the execution of arbitrary payloads, SafeBreach warns.

The first bug impacts Acer Quick Access, an application that allows users to toggle wireless devices on or off, to modify power-off USB charge settings and network sharing options, and more.

The issue, SafeBreach explains, is that part of the software runs with SYSTEM privileges, and it unsafely attempts to load three missing DLL files. An attacker with administrator privileges can plant malicious versions of these missing files and they would get executed with elevated permissions.

By exploiting this security hole, attackers can load and execute malicious payloads using a signed service, and can also achieve persistence — the payload would run every time the service is executed.

Reported to Acer in September 2019 and tracked as CVE-2019-18670, the vulnerability was addressed in Acer Quick Access versions 2.01.3028 and 3.00.3009.

The second flaw impacts ASUS ATK Package and can be exploited during the post-compromise phase of an attack, to achieve persistence and evade detection, SafeBreach says.

The researchers discovered that the application’s ASLDR Service (AsLdrSrv.exe), a signed process that runs at system startup with SYSTEM privileges, attempts to locate missing EXE files before loading the required executable.

Thus, an attacker could abuse the weakness to load and run an unsigned executable in the context of the privileged process. This could lead to defense evasion and persistence, as the payload would be run every time the service starts.

Tracked as CVE-2019-19235, the vulnerability was found to impact ASUS ATK Package 1.0.0060 and all prior versions, and was addressed in November with the release of ATK Package 1.0.0061.

Written By Ionut Arghire

Ionut Arghire is an international correspondent for SecurityWeek.

Latest News

Click to comment

Dealing With the Carcinization of Security

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Marc Solomon

Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Derek Manky

How the Atomized Network Changed Enterprise Protection

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge.

Matt Wilson

Mapping Threat Intelligence to the NIST Compliance Framework Part 2

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Landon Winkelvoss

Password Dependency: How to Break the Cycle

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

Torsten George