Vulnerabilities discovered in Acer and ASUS software preinstalled on most PCs from these companies could lead to privilege escalation and the execution of arbitrary payloads, SafeBreach warns.
The first bug impacts Acer Quick Access, an application that allows users to toggle wireless devices on or off, to modify power-off USB charge settings and network sharing options, and more.
The issue, SafeBreach explains, is that part of the software runs with SYSTEM privileges, and it unsafely attempts to load three missing DLL files. An attacker with administrator privileges can plant malicious versions of these missing files and they would get executed with elevated permissions.
By exploiting this security hole, attackers can load and execute malicious payloads using a signed service, and can also achieve persistence — the payload would run every time the service is executed.
Reported to Acer in September 2019 and tracked as CVE-2019-18670, the vulnerability was addressed in Acer Quick Access versions 2.01.3028 and 3.00.3009.
The second flaw impacts ASUS ATK Package and can be exploited during the post-compromise phase of an attack, to achieve persistence and evade detection, SafeBreach says.
The researchers discovered that the application’s ASLDR Service (AsLdrSrv.exe), a signed process that runs at system startup with SYSTEM privileges, attempts to locate missing EXE files before loading the required executable.
Thus, an attacker could abuse the weakness to load and run an unsigned executable in the context of the privileged process. This could lead to defense evasion and persistence, as the payload would be run every time the service starts.
Tracked as CVE-2019-19235, the vulnerability was found to impact ASUS ATK Package 1.0.0060 and all prior versions, and was addressed in November with the release of ATK Package 1.0.0061.