HEX: Shards of Fate - Unquoted Path Privilege Escalation

ID 1337DAY-ID-25588
Type zdt
Reporter Cyril Vallicari
Modified 2016-05-16T00:00:00


Exploit for windows platform in category local exploits

# Exploit Title: Hex : Shard of Fate - Privilege
Escalation Unquoted path vulnerability
# Date: 15/05/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: http://gameforge.com
# Software Link:  https://hex.gameforge.com/ or via steam
# Version: and probably prior
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
Summary : Hex: Shard of Fate is a new breed of digital card game, combining
classic TCG gameplay with elements of an online RPG
Description : The game executable is prone to an unquoted path
vulnerability. When you go to the in-game store it fail to quote the
following command which is used multiple times :
C:/Program Files (x86)/Steam/steamapps/common/HEX SHARDS OF
FATE/Hex_Data/StreamingAssets/uWebKit/Windows/x86/UWKProcess.exe -parentpid
-processdb QzovVXNlcnMvVXRpbGlzYXRldXIvQXBwRGF0YS9Mb2NhbExvdy9IRVggRW50ZXJ0YWlubWVu
This could potentially allow an authorized but non-privileged local user to
execute arbitrary code with elevated privileges on the system.
Put a software named Program.exe in C:
Launch the game or steam with high privileges and go to store
POC video : https://www.youtube.com/watch?v=E1_1wZea1ck
Patch :
Still waiting, no reward so full disclosure after 10 days

#  0day.today [2018-02-09]  #