SafeBreach experts discovered vulnerabilities that allow execution of the third-party code on preinstalled software on Acer and Asus computers.
In the case of Acer, the problem is contained in the Acer Quick Access application. It automates the configuration of frequently used functions, including interaction with wireless devices, network data exchange and USB ports. Asus laptops were vulnerable due to an error in the Asus ATK Package, which includes a driver and several utilities for managing power and hot keys.Analysts pointed out that Acer Quick Access runs with system privileges and therefore may be of interest to hackers. Further research showed that upon startup this utility accesses three non-existent libraries.
Thus, if an attacker can inject his own files onto the computer, Acer Quick Access will open them and execute with maximum permissions. The vulnerable program is executed every time the system starts, so hackers can ensure a constant presence on the computer”, – experts of SafeBreach inform.
As the experts explained, the developers made a mistake of an Uncontrolled Search Path Element, which caused the threat of unsafe loading of libraries. The vulnerable service uses the LoadLibraryW process for this operation – unlike LoadLibraryExW, it does not check the access path to the target files.
The second problem with Acer Quick Access is that the program does not specify the digital signature of the downloaded software. This allows an attacker to replace libraries without having to authenticate them with a legitimate certificate.
In September, experts told developers about the existing threat. The company assigned the bug identifier CVE-2019-18670 and fixed it in Acer Quick Access v.2.01.3028/3.00.3009.
Analysts have found a similar problem in Asus products. The ASLDR service, which is part of the Asus ATK Package, accesses nonexistent EXE files. The vulnerable component also works with system privileges, allowing attackers to execute malicious code with a system level of access.
Experts note that to use this bug attacker needs administrator rights. This is actually the only limitation, because, like Acer Quick Access, ASLDR does not check digital certificates of documents and loads every time the OS starts.
The executable file of the service is signed by ASUSTek Computer Inc. This allows using ASLDR bypass the restrictions on launching third-party applications”, — experts say.
Technically, the threat is associated with the absence of quotes in the command to execute EXE files. As a result, the CreateProcessAsUser function, which is used in the vulnerable process, tries to break the value of the PATH variable into smaller arguments, substituting .exe instead of each space. Experts note that the need to put quotation marks in such commands is described in the documentation of the Microsoft Developer Network.
The vulnerability got the identifier CVE-2019-19235 and was fixed in ATK Package v.1.0.0061.
However, even Acer and Asus firmware updates will not save users from Zombies if computers run on Intel processors. As we already said, some Intel processors are vulnerable to the new version of the Zombieload problem. Do not joke about the zombie apocalypse until you read how to protect yourself from it!
