Lately, three well-known players in the computer industry are in trouble over vulnerabilities discovered in their Windows OS applications by SafeBreach.
The trio composed of Intel, ASUS & Acer have these applications pre-installed and so leave all users vulnerable, not just selective ones who would have downloaded these as in the case of normally found software.
Firstly, Acer’s Quick Access program was found to be vulnerable to DLL hijacking through which attackers could obtain system rights allowing them to run malicious files.
Caused due to a lack of digital certificate validation and an uncontrollable search part; this would be a move away from the traditional way of tricking the user to run such files. In this case, the attacker could just do it themselves making the process easier.
Furthermore, the attacker could also operate as NT AUTHORITY/ SYSTEM, the most powerful account privilege wise in Windows. Currently, the bug has infected versions 2.01.3000 to 2.01.3027 and 3.00.3000 to 3.00.3008 of the Quick Access app.
On the other hand, versions 2.01.3028 and 3.00.3009 have been patched. If you’re an Acer user, it is recommended that you check your app’s version through the “Uninstall programs” feature and proceed accordingly.
Coming to Intel, the most well known of the three thanks to its processors, its Rapid Store Technology program has been found vulnerable.
Just like in Acer’s case, this is also due to a DLL vulnerability with the only difference being that administrator privileges are required to obtain system rights. Users are recommended to proceed with any Intel updates at the moment as the firm released a patch recently on December 10.
Safebreach further elaborates by stating how “this vulnerability could have been exploited by an attacker during the post-exploitation phase, in order to achieve persistence and in some cases defense evasion.” Only version 1.0.0060 and those preceding it are affected though and hence users who have been regularly updating their software are safe.
In conclusion, it is recommended that if you happen to have one of the three aforementioned software, just update them and you’ll be safe.
For these companies, it has mostly been and again is a question of their penetration testing abilities. But it is also wise to know that no matter how much testing is done, flaws will always be there, no code can be 100% secure.
Acer Quick Access
Acer Quick Access is a software which is preinstalled on most Acer PCs.
The software allows the user to toggle individual wireless devices on or off, change power-off USB charge settings, modify network sharing options, and much more.
Part of the software is running as a service which is executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions.
In our initial exploration, we targeted the Acer Quick Access service based on the assumption that such a critical service would have high-permission-level access to the PC hardware as well as the capability to induce privilege escalation.
After the Acer Quick Access service started, it executed QAAdminAgent.exe as NT AUTHORITY\SYSTEM.
Once the library was loaded, we noticed the service tried to look for 3 missing DLL files in order to load it:
Note: We filtered the irrelevant events from the above screenshot.
As you can see, the service was trying to load three missing DLL files, which eventually were loaded from the c:\python27 directory – our PATH environment variable:
Demonstrating a DLL Hijacking Vulnerability
On our VM, the c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes the privilege escalation simple and allows a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM.
It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts, and (2) modify the system’s PATH variable to include that directory.
In order to test this privilege escalation vulnerability, we compiled a DLL (unsigned) which writes the following to the filename of a txt file:
- The username which executed it
- The name of the DLL file
We were able to load three arbitrary DLLs and execute our code as NT AUTHORITY\SYSTEM.
Note: If the “atiadlxx.dll” file already exists, it won’t load the “atiadlxy.dll” file.
Root Cause Analysis
Once the Acer Quick Access service is started (QAAdminAgent.exe), it tries to load 3 DLL files by calling the LoadLibraryW WinAPI function:
As we can see in the screenshots, there are two root causes for the vulnerability:
- Uncontrolled Search Path – The lack of safe unmanaged DLL loading.
The service tries to load the DLL files using LoadLibraryW instead of using LoadLibraryExW, which can control the paths from which the DLL files can be loaded.
- No digital certificate validation is made against the binary (for example, calling WinVerifyCrypt). The program doesn’t validate whether the DLL that it is loading is signed. Therefore, it can load an arbitrary unsigned DLL.
Potential Malicious Uses and Impact
Acer Quick Access is preinstalled on most Acer devices running Windows.
Below we show three possible ways that an attacker can leverage the vulnerability we discovered and documented above.
Signed Execution, Whitelisting Bypass, Defense Evasion
The vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion.
The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted.
The service provides the attacker with the ability to operate as NT AUTHORITY\SYSTEM, which is the most powerful user in Windows.
Affected Products and Versions
- Acer Quick Access v2.01.3000 – v.201.3027
- Acer Quick Access v3.00.3000 – v3.00.3008
Patched versions: v2.01.3028 and v3.00.3009
Sep 24th, 2019 – Vulnerability reported to Acer
Sep 24th, 2019 – Initial response from Acer
Sep 26th, 2019 – Status update from Acer
Oct 1st, 2019 – Acer confirmed the vulnerability
Oct 16th, 2019 – Status update from Acer
Oct 17th, 2019 – Status update from Acer
Oct 28th, 2019 – Acer provided affected products and versions, and said that they are going to issue a CVE.
Dec 3rd, 2019 – Acer issued CVE-2019-18670, updated us that they deployed a fix on October 7th and said that they will publish an advisory on December 17th.
Dec 17th, 2019 – Acer published a security advisory.