Security researchers have disclosed two separate vulnerabilities affecting Acer Quick Access software and the Asus ATK Package, both of which are pre-installed on the respective manufacturers machines.
Acer shipped 4.2 million units in Q3 2019, while Asus shipped 3.8 million in the same timeframe, representing 11.8 percent of the entire global PC market, according to Gartner.
"The vulnerabilities which we found in ASUS and Acer provide an attacker the ability to execute a malicious on behalf of these companies’ signed and trusted binaries, which can lead to bypass certain AVs as the AV thinks the malicious operations are performed by ASUS or Acer. In Acer’s case, there is also a chance that an attacker can gain privilege escalation (getting high privileges as a normal user)", said Peleg Hadar, Security Researcher, SafeBreach Labs.
The vulnerability in the ASUS ATK Package (CVE-2019-19235) centres on the "ASLDR Service" (AsLdrSrv.exe), the executable for which is is signed by ‘ASUSTek Computer Inc.’ The exploitation technique involves implanting an arbitrary unsigned executable which is executed by the signed service that runs as NT AUTHORITY\SYSTEM (the most privileged user account).
"If the attacker finds a way for a malicious payload to be executed by AsLdrSrv.exe, the service can be used as an application whitelisting bypass", noted the SafeBreach researchers. In addition, the service automatically starts once the computer boots, which makes it a potential target for an attacker to be used as a persistence mechanism.
The vulnerability was reported to Asus on 2 September, was confirmed by Asus on 5 September, a new driver released on 7 October and a patched version on 21 October. Affected versions are ATK Package version 1.0.0060 and all prior versions.
The Acer Quick Access software vulnerability (CVE-2019-18670) could potentially be used in order to achieve persistence, defence evasion and in some cases privilege escalation. The preinstalled software software allows the user to toggle individual wireless devices on or off, change power-off USB charge settings, modify network sharing options, and a variety of other tasks. However, part of the software is running as a service which is executed as "NT AUTHORITY\SYSTEM," which gives it with very powerful permissions.
However, the researchers were able to use DLL hijacking to load an arbitrary unsigned DLL into the system, as the Quick Access software tries to load 3 DLL files on startup by calling the LoadLibraryW WinAPI function instead of the safer LoadLibraryExW, and does not verify whether the DLLs are signed.
"The vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion", explained the researchers.
The vulnerability was reported to Acer on 24 September, was confirmed by Acer on 1 October, and patched on 7 October. Affected versions are Acer Quick Access v2.01.3000 - v.201.3027 and Acer Quick Access v3.00.3000 - v3.00.3008.