CVE-2022-44744: Local Privilege Escalation Vulnerability in Acronis Cyber Protect Home Office Due to DLL Hijacking

A new security vulnerability, CVE-2022-44744, has been detected in Acronis Cyber Protect Home Office, affecting Windows users. This vulnerability can potentially allow attackers to escalate their privileges on the victim's system by exploiting a DLL hijacking vulnerability. In this post, we will discuss the details of this vulnerability, the affected versions of the software, and the required steps to mitigate the risk associated with this vulnerability.

Affected Products

The vulnerability specifically affects Acronis Cyber Protect Home Office for Windows users, for versions prior to build 40107.

The Exploit

The CVE-2022-44744 vulnerability exploits a weak point in the way Acronis Cyber Protect Home Office loads dynamic-link library (DLL) files. Specifically, the software does not correctly validate the file path for loading the DLLs, allowing an attacker to plant a malicious DLL file in the search path.

When Acronis Cyber Protect Home Office attempts to load the legitimate DLL, the malicious version is loaded instead, effectively granting the attacker the same privileges as the targeted process. In the worst-case scenario, the attacker could gain administrator-level privileges on the victim's machine.

Here is an example of how the code snippet might look like for exploiting this vulnerability

#include <Windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
        MessageBox(NULL, L"Exploit successful!", L"Exploit", MB_OK | MB_ICONWARNING);
    }

    return TRUE;
}

This simple code snippet demonstrates how an attacker can create a malicious DLL that, when injected and executed by Acronis Cyber Protect Home Office, displays a message box indicating a successful exploit. Of course, the attacker could replace the message box with any malicious code they desire.

Original References

The vulnerability was first reported and disclosed by researchers, who have published detailed information and Proof of Concept (PoC) samples on the following external resources:

1. CVE-2022-44744 - NVD (National Vulnerability Database): https://nvd.nist.gov/vuln/detail/CVE-2022-44744
2. Acronis Security Bulletin: https://kb.acronis.com/content/70636
3. Exploit-DB PoC: https://www.exploit-db.com/exploits/#####

To protect yourself from this vulnerability, there are a few essential steps you need to take

1. Update Acronis Cyber Protect Home Office to the latest available build (40107 or later). You can find the update instructions on Acronis' official website: https://kb.acronis.com/content/48221
2. Limit permissions for non-administrative users, ensuring they do not have write access to sensitive folders where Acronis software binaries are installed.
3. Be cautious about downloading and executing files from untrusted sources. DLL hijacking attacks often start with an attacker tricking a victim into executing a malicious file.

In conclusion, CVE-2022-44744 is a serious vulnerability in Acronis Cyber Protect Home Office that may lead to local privilege escalation due to a DLL hijacking vulnerability. Users are advised to update their software version and follow recommended best practices to minimize the risk associated with this vulnerability.

Timeline

Published on: 11/07/2022 20:15:00 UTC
Last modified on: 11/08/2022 19:14:00 UTC