Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Privilege Escalation Flaws Found in Preinstalled Acer, ASUS Software

Vulnerabilities discovered in Acer and ASUS software preinstalled on most PCs from these companies could lead to privilege escalation and the execution of arbitrary payloads, SafeBreach warns.

Vulnerabilities discovered in Acer and ASUS software preinstalled on most PCs from these companies could lead to privilege escalation and the execution of arbitrary payloads, SafeBreach warns.

The first bug impacts Acer Quick Access, an application that allows users to toggle wireless devices on or off, to modify power-off USB charge settings and network sharing options, and more.

The issue, SafeBreach explains, is that part of the software runs with SYSTEM privileges, and it unsafely attempts to load three missing DLL files. An attacker with administrator privileges can plant malicious versions of these missing files and they would get executed with elevated permissions.

By exploiting this security hole, attackers can load and execute malicious payloads using a signed service, and can also achieve persistence — the payload would run every time the service is executed.

Reported to Acer in September 2019 and tracked as CVE-2019-18670, the vulnerability was addressed in Acer Quick Access versions 2.01.3028 and 3.00.3009.

The second flaw impacts ASUS ATK Package and can be exploited during the post-compromise phase of an attack, to achieve persistence and evade detection, SafeBreach says.

The researchers discovered that the application’s ASLDR Service (AsLdrSrv.exe), a signed process that runs at system startup with SYSTEM privileges, attempts to locate missing EXE files before loading the required executable.

Thus, an attacker could abuse the weakness to load and run an unsigned executable in the context of the privileged process. This could lead to defense evasion and persistence, as the payload would be run every time the service starts.

Tracked as CVE-2019-19235, the vulnerability was found to impact ASUS ATK Package 1.0.0060 and all prior versions, and was addressed in November with the release of ATK Package 1.0.0061.

Related: Intel Patches Privilege Escalation Flaw in Rapid Storage Technology

Related: Flaw in HP Touchpoint Analytics Could Impact Many PCs

Related: Vulnerability Patched in Forcepoint VPN Client for Windows

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.