---
In this exclusive long-read, we’ll break down CVE-2022-44744—a local privilege escalation (LPE) vulnerability that affects Acronis Cyber Protect Home Office for Windows (formerly Acronis True Image) before build 40107. The flaw leverages a classic DLL hijacking technique, allowing attackers to run code with higher privilege. We will walk you through how it works, what’s required to exploit it, sample exploit code, and how you can protect yourself.
What is CVE-2022-44744?
CVE-2022-44744 is a security vulnerability classified as a local privilege escalation in Acronis Cyber Protect Home Office for Windows. Before build 40107, the software improperly loads a DLL from a directory writable by regular users. Malicious users can drop a fake DLL in this directory, which the privileged Acronis process will then load and execute, giving the attacker system-level access.
- Vulnerability Type: DLL Hijacking / Side-loading
Affected Versions: Before build 40107
- CVE Link: NVD - CVE-2022-44744
- Acronis Advisory: Acronis Security Advisory
How Does DLL Hijacking Work Here?
DLL hijacking exploits how Windows loads DLL files for applications. When an executable runs, it searches for required DLLs in certain directories—in order. If the application directory is user-writable and a privileged process loads DLLs from there, a normal user can plant a malicious DLL, impersonating a missing or vulnerable one.
Acronis Cyber Protect Home Office used to load certain DLLs from its program directory, not validating their integrity or path. On typical installs, users can write to subfolders inside the install path (like plug-ins, temp locations, or misconfigured directories).
Find the Vulnerable Executable:
Look for a Windows executable from the Acronis suite that runs as SYSTEM (either as a service or via Task Scheduler) and loads a DLL (for example, examplelib.dll) from its local folder.
Check Permissions:
Confirm that the folder is writable by unprivileged users (users group has Write/Modify permissions).
Craft Malicious DLL:
Write a DLL named exactly as the expected one (say, examplelib.dll), but with payload code—such as spawning a SYSTEM shell.
Trigger the Application:
Wait for or trigger the Acronis service/exe to run. It will load your DLL.
EvilDLL.cpp
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
// Spawn SYSTEM shell
WinExec("cmd.exe", SW_SHOW);
}
return TRUE;
}
Place in the vulnerable folder.
Important: In practice, attackers may use stealthier payloads, and Acronis likely patched this quickly. Never use for unauthorized testing.
Original References
- NVD Entry for CVE-2022-44744
- Acronis Cyber Protect Home Office Updates
General on DLL Hijacking:
- Microsoft Docs: Dynamic-Link Library Security
- OWASP DLL Hijacking
Fix and Mitigation
How to Patch:
Acronis resolved this by build 40107. Upgrade immediately if you use older builds!
Remove user write permissions on application directories.
- Use Microsoft’s Sysinternals tool AccessChk to verify permissions.
- Employ tools like Process Monitor to hunt for DLL search path issues.
Conclusion
CVE-2022-44744 exposed how improper library loading can lead to privilege escalation—even in trusted backup tools. Local attackers can turn small flaws into complete system compromise. Software vendors and IT admins should always pay attention to directory permissions and DLL search paths.
Always keep software updated and regularly audit installed applications—privilege escalation bugs are among the most prized by attackers.
Author: Security Watchdog, 2024
*Exclusive long-read, not to be reproduced without credit.*
*Disclaimer: This post is for educational purposes only. Please use all information responsibly.*
Timeline
Published on: 11/07/2022 20:15:00 UTC
Last modified on: 11/08/2022 19:14:00 UTC