acer pwnd

TL;DR

Acer ships most of the laptop it sells with a software suite called Care Center Service installed. In versions up to 4.00.3034 included, one of the suite’s programs is an executable named ListCheck.exe, which runs at logon with the highest privilege available and suffers from a phantom DLL hijacking. This can lead to a privilege escalation when an administrator logs in. The vulnerability has been assigned ID CVE-2021-45975

Introduction

Greetings mates, last here! As I previously mentioned, lately I’ve been busy hunting for vulnerabilities and I ended up finding another privilege escalation in one of those softwares computer manufacturers put in the computers they sell. This time it ended up being in Care Center Service, a software suite Acer uses to keep devices they build updated. I won’t delve into the details of how I found the vulnerability, as it’s pretty much the same methodology I explained in the post about a similar vulnerability in an ASUS product I found last October.

The vulnerability

As with ASUS’ one, this vulnerability is a phantom DLL hijacking. At user logon, a scheduled task named “Software Update Application”, created when Acer Care Center is installed, runs a binary named ListCheck.exe. As specified in the scheduled task configuration, the binary runs with the highest privileges available to the logged on user (which means high integrity if the user is part of the BUILTIN\Administrators group). The process spawned then tries to load profapi.dll by first looking into the C:\ProgramData\OEM\UpgradeTool\ directory.

listcheck missing dll

The ACL of said directory is not properly configured (and often they are not for subfolders of C:\ProgramData\), meaning an unprivileged user has write access to it and thus can place there a malicious profapi.dll which will be loaded by ListCheck.exe and executed.

lax permissions

This means that, if a privileged user logs on, the malicious profapi.dll will be loaded and executed at high integrity, effectively running arbitrary malicious code as an administrator and achieving a privilege escalation.

Patch and workaround

Acer had released a patch for Acer Care Center on the 27th of December 2021 in order to fix the vulnerability. To prevent the vulnerability from being exploited before the patch is applied, simply disable the “Software Update Application” scheduled task.

Responsible disclosure timeline (YYYY/MM/DD)

That’s all for today folks, see you next time!

last out!