The first vulnerability, tracked as CVE-2019-18670, affects the Acer Quick Access, an application that makes it fast and easy to adjust the most often used settings. Acer Quick Access provides options to quickly toggle individual wireless devices on or off, change power-off USB charge settings, modify network sharing options, and much more.
Experts discovered that some component of the software runs as “NT AUTHORITY\SYSTEM” and attempt to load three missing DLL files. An attacker with administrator privileges can carry out a DLL hijacking by planting malicious versions of the missing DLLs to get them executed with higher permissions.
“This vulnerability can be used in order to achieve persistence, defense evasion and in some cases privilege escalation by loading an arbitrary unsigned DLL into a service that runs as SYSTEM.” reads the post published by SafeBreach.
“After the Acer Quick Access service started, it executed QAAdminAgent.exe as NT AUTHORITY\SYSTEM. Once the library was loaded, we noticed the service tried to look for 3 missing DLL files in order to load it:”
An attacker could exploit the vulnerability to load and execute malicious payloads using a signed service, it could also achieve persistence because the malicious code would be executed every time the service is executed.
The experts reported the issue to Acer in September 2019, the company addressed it with the release of Acer Quick Access versions 2.01.3028 and 3.00.3009 on October 7th and published an advisory on December 17th.
The second issue, tracked as CVE-2019-19235, affects the ASUS ATK Package and can be exploited by attackers in the post-compromise phase of an attack, to achieve persistence and evade detection,
The researchers discovered that it is possible to launch a DLL hijacking attack because the application’s ASLDR Service (AsLdrSrv.exe) attempts to locate missing EXE files before loading the required executable.
Experts pointed out that the ASLDR Service is a signed process that runs at system startup with SYSTEM privileges, an attacker could exploit the issue to run and execute an unsigned executable in the context of the privileged process. The exploitation of the issue could allow attackers to evade detection and to gain persistence.
The CVE-2019-19235 vulnerability was addressed in November with the release of ATK Package 1.0.0061.