SafeBreach has discovered vulnerabilities in software preinstalled on Acer and Asus laptops and computers which could be exploited by hackers to execute malicious payloads with elevated permissions using a signed service.
The first flaw affects Acer Quick Access, a preinstalled application that has system-level privileges. Acer Quick Access allows users to modify USB charge settings, toggle wireless devices on and off, and change network sharing options and other settings. Vulnerable versions are Acer Quick Access v2.01.3000 – v.201.3027 and v3.00.3000 – v3.00.3008
Acer Quick Access tries to load three missing DLLs when run. If an attacker has Admin-level privileges, they could load malicious versions of the DLLs which would be executed with elevated permissions. It would also be possible to ensure that those malicious files are executed every time the Acer Quick Access service is run.
The vulnerability has been assigned CVE-2019-18670 and has been fixed Acer Quick Access versions 2.01.3028 and 3.00.3009.
SafeBreach has also discovered a vulnerability in preinstalled Asus Software. This flaw can only be implemented post compromise so the potential for exploitation is limited. The flaw is present in the ASUS ATK Package, which is used to install ASUS drivers and software.
The ASLDR Service used by the application – AsLdrSrv.exe – runs on start-up with system privileges and similarly attempts to execute missing executable files before executing the correct file. An attacker could therefore load malicious versions of the missing files which would be run in the context of the current user when the system is started.
The flaw – CVE-2019-19235 – is present in versions 1.0.0060 and earlier and has been fixed in the 1.0.0061 release.