Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Uplay 92.0.0.6280 - Local Privilege Escalation Vulnerability

🗓️ 14 Oct 2019 00:00:00Reported by Kusol Watchara-ApanukornType 
zdt
 zdt🔗 0day.today👁 122 Views

Uplay 92.0.0.6280 Local Privilege Escalation Vulnerability, BUILTIN-USER full permission allows file replacemen

Related
Code
ReporterTitlePublishedViews
Family
CNVD		Ubisoft Entertainment Ubisoft Uplay Elevation of Privilege Vulnerability
16 Oct 201900:00
cnvd
CVE		CVE-2019-14737
14 Oct 201918:15
cve
Cvelist		CVE-2019-14737
14 Oct 201918:15
cvelist
EUVD		EUVD-2019-5882
7 Oct 202500:30
euvd
NVD		CVE-2019-14737
14 Oct 201919:15
nvd
OSV		CVE-2019-14737
14 Oct 201919:15
osv
Prion		Design/Logic Flaw
14 Oct 201919:15
prion
# Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation
# Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi
# Vendor Homepage: https://uplay.ubisoft.com/
# Version: 92.0.0.6280
# Tested on: Windows 10 x64
# CVE : N/A

# Vulnerability Description: "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" has in secure permission 
# that allows all BUILTIN-USER has full permission. An attacker replace the 
# vulnerability execute file with malicious file.

///////////////////////
   Proof of Concept
///////////////////////

C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher"
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher BUILTIN\Users:(F)
                                                     BUILTIN\Users:(OI)(CI)(IO)(F)
                                                     NT SERVICE\TrustedInstaller:(I)(F)
                                                     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                                     NT AUTHORITY\SYSTEM:(I)(F)
                                                     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                                     BUILTIN\Administrators:(I)(F)
                                                     BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                                     BUILTIN\Users:(I)(RX)
                                                     BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                                     CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)




Vulnerability Disclosure Timeline:
==================================
07 Aug, 19 : Found Vulnerability
07 Aug, 19 : Vendor Notification
14 Aug, 19 : Vendor Response
18 Sep, 19 : Vendor Fixed
18 Sep, 19  : Vendor released new patched

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Oct 2019 00:00Current
0.4Low risk
Vulners AI Score0.4
CVSS 24.6
CVSS 3.17.8
EPSS0.0049
uplaylocal privilege escalationvulnerabilitybuiltin-userpermissionfile replacementvendor responsepatched
122