VULNERABILITY DETAILS
The Acer ControlCenter solution contains a component running as ACCSvc.exe as the NT AUTHORITY\SYSTEM user. This process exposes a Windows Named Pipe called treadstone_service_LightMode using a custom protocol to invoke functions within ACCSvc.exe. The service does not restrict which executables may be run, nor does it prevent lower privileged users from interacting with the aforementioned Named Pipe while allowing callers to control flags that determine the user level an arbitrary binary will run as.
One of the commands supported in ACCSvc.exe over the Named Pipe (internally known as command 7) makes it possible to invoke arbitrary binaries from a low privileged user in an elevated context
Impact Scope
Acer Control Center Software
Resolution
Acer has released a new version of Acer Control Center to address this concern. You can find the latest version of Acer Care Center for your device on our Drivers and Manuals site.
Credit
Acer thanks Leon Jacobs at Orange Cyber Defense for reporting this issue.
Disclaimer
THE ABOVE INFORMATION IS PROVIDED "AS IS" IN CONNECTION WITH ACER AND INTEL® PRODUCTS. YOUR USE OF THE INFORMATION OR MATERIALS LINKED FROM THIS PAGE IS AT YOUR OWN RISK. ACER RESERVES THE RIGHT TO CHANGE OR UPDATE THIS PAGE AT ANY TIME.