Share
## https://sploitus.com/exploit?id=5AA2C0E4-5A71-5861-B9A4-0FEF0CA28E28
**CVE ID:** CVE-2026-9490
**Researcher:** Vo Duc Thang (ugvxb)

## 1. Executive Summary

A critical security vulnerability has been identified in the Acer Care Center service (ACCSvc.exe). The vulnerability allows any authenticated local user to crash the system service (Denial of Service) and potentially escalate privileges through a weakly secured Named Pipe interface.

The service, which runs with SYSTEM privileges (LocalSystem), exposes a Named Pipe with overly permissive access controls that grant read, write, and execute permissions to all Authenticated Users.

---

## 2. Vulnerability Details

### 2.1 Affected Component

| Attribute | Value |
|-----------|-------|
| **Product** | Acer Care Center |
| **Component** | ACCSvc.exe (ACC Service) |
| **Service Name** | ACCSvc |
| **Installation Path** | C:\Program Files (x86)\Acer\Care Center\ |
| **Service Account** | LocalSystem (NT AUTHORITY\SYSTEM) |
| **Start Type** | AUTO_START |
| **Named Pipe** | \\.\pipe\treadstone_service_LightMode |

### 2.2 Vulnerability #1: Denial of Service

#### Description

The ACCSvc service creates a Named Pipe with a weak Security Descriptor that allows any authenticated user to connect and send messages. When a specially crafted message (message type 0x03) is sent to the pipe, the service crashes with exit code 1067 (ERROR_PROCESS_ABORTED).

#### Security Descriptor (SDDL)

```
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA)
```

#### SDDL Analysis

| ACE | Principal | Permission | Assessment |
|-----|-----------|------------|------------|
| (D;OICI;GA;;;BG) | Builtin Guests | DENY ALL | Secure |
| (D;OICI;GA;;;AN) | Anonymous | DENY ALL | Secure |
| (A;OICI;GRGWGX;;;AU) | Authenticated Users | Read/Write/Execute | **VULNERABLE** |
| (A;OICI;GA;;;BA) | Builtin Admins | ALLOW ALL | Expected |

#### Impact

A standard user without any special privileges can terminate the ACCSvc system service, causing Acer Care Center functionality to become unavailable.

### 2.3 Vulnerability #2: Potential Local Privilege Escalation

#### Description

The same weak Named Pipe ACL allows authenticated users to send command messages that trigger the service to execute launcher applications via CreateProcessAsUserW.

#### Command Codes

| Command | Hex Value | Target Executable |
|---------|-----------|-------------------|
| 0x19065 | 102501 | ACCAPPLauncher.exe |
| 0x19066 | 102502 | ACCSWALauncher.exe |
| 0x19067 | 102503 | ACCFixpackFolderCleaner.exe |

---

## 3. Technical Analysis

### 3.1 Binary Analysis

| Attribute | Value |
|-----------|-------|
| **File** | ACCSvc.exe |
| **Type** | PE32+ executable (console) x86-64 |
| **Analysis Tool** | Radare2 |
| **Entry Point** | 0x14000fd4c |

### 3.2 Key Functions Identified

| Function | Address | Purpose |
|----------|---------|---------|
| fcn.140009a70 | 0x140009a70 | CreateNamedPipeW - Creates vulnerable pipe |
| fcn.140007570 | 0x140007570 | CreateProcessAsUserW - Spawns processes |
| fcn.14000a8a0 | 0x14000a8a0 | ReadFile handler |
| fcn.140009950 | 0x140009950 | WriteFile handler |
| fcn.140008050 | 0x140008050 | Message dispatcher |

### 3.3 Named Pipe Creation Parameters

```
Pipe Name:        \\.\pipe\treadstone_service_LightMode
dwOpenMode:       0x03 (PIPE_ACCESS_DUPLEX)
dwPipeMode:       0x06 (PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE)
nMaxInstances:    255
nOutBufferSize:   512
nInBufferSize:    512
nDefaultTimeOut:  1000ms
```

### 3.4 Command Dispatch Logic

```asm
0x140008b1a      mov ebx, dword [rdx + rcx]     ; Read command
0x140008b1d      lea eax, [rbx - 0x19065]       ; Subtract base
0x140008b23      cmp eax, 2                      ; Check range
0x140008b26      ja  0x140008bde                 ; Jump if invalid
```

---

### 4. Exploitation Results

```
accesschk.exe -v \pipe\treadstone_service_LightMode
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
\\.\Pipe\treadstone_service_LightMode
  Medium Mandatory Level (Default) [No-Write-Up]
  RW NT AUTHORITY\Authenticated Users
        FILE_ADD_FILE
        FILE_CREATE_PIPE_INSTANCE
        FILE_APPEND_DATA
        FILE_EXECUTE
        FILE_LIST_DIRECTORY
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_TRAVERSE
        FILE_WRITE_ATTRIBUTES
        FILE_WRITE_DATA
        FILE_WRITE_EA
        SYNCHRONIZE
        READ_CONTROL
  RW BUILTIN\Administrators
        FILE_ALL_ACCESS
        
C:\Users\thang\Downloads\Acer>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

C:\Users\thang\Downloads\Acer>sc qc ACCSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ACCSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files (x86)\Acer\Care Center\ACCSvc.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ACC Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\thang\Downloads\Acer>sc query ACCSvc

SERVICE_NAME: ACCSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Users\thang\Downloads\Acer>python exploit_dos.py
[*] ACCSvc DoS Attack
[*] Target: \\.\pipe\treadstone_service_LightMode
[+] DoS payload sent - service should crash

C:\Users\thang\Downloads\Acer>sc query ACCSvc

SERVICE_NAME: ACCSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1067  (0x42b)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
```

**Result**: Standard user successfully crashed SYSTEM service!

---

## 5. Risk Assessment

### 5.1 CVSS v3.1 Score

| Metric | Value |
|--------|-------|
| **CVSS 4.0 Vector** |AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/RE:M |
| **CVSS Base Score** | **6.8 (Medium)** |

### 5.2 CWE Classifications

| CWE ID | Name |
|--------|------|
| CWE-269 | Improper Privilege Management |

---

## 6. Disclaimer

This poc is for educational and authorized security research purposes only. The author is not responsible for any misuse. Exploitation without authorization is illegal.