Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation

`  
Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation  
  
  
Vendor: Ubisoft Entertainment S.A.  
Product web page: http://www.ubi.com  
Affected version: 5.0.0.3914 (PC)  
  
Summary: Uplay is a digital distribution, digital rights management,  
multiplayer and communications service created by Ubisoft to provide  
an experience similar to the achievements/trophies offered by various  
other game companies.  
  
- Uplay PC is a desktop client which replaces individual game launchers  
previously used for Ubisoft games. With Uplay PC, you have all your Uplay  
enabled games and Uplay services in the same place and you get access to  
a whole new set of features for your PC games.  
  
Desc: Uplay for PC suffers from an elevation of privileges vulnerability  
which can be used by a simple user that can change the executable file  
with a binary of choice. The vulnerability exist due to the improper  
permissions, with the 'F' flag (Full) for 'Users' group, making the  
entire directory 'Ubisoft Game Launcher' and its files and sub-dirs  
world-writable.  
  
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2015-5230  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5230.php  
  
Vendor: http://forums.ubi.com/forumdisplay.php/513-Uplay  
  
  
19.02.2015  
  
--  
  
  
  
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>cacls Uplay.exe  
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uplay.exe BUILTIN\Users:(ID)F  
NT AUTHORITY\SYSTEM:(ID)F  
BUILTIN\Administrators:(ID)F  
test-PC\yousir:(ID)F  
  
  
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>  
`