Ubisoft Uplay 4.6 Insecure File Permissions Local Privilege Escalation

2014-07-03T00:00:00
ID ZSL-2014-5191
Type zeroscience
Reporter Gjoko Krstic
Modified 2014-07-03T00:00:00

Description

Title: Ubisoft Uplay 4.6 Insecure File Permissions Local Privilege Escalation
Advisory ID: ZSL-2014-5191
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 03.07.2014

Summary

Uplay is a digital distribution, digital rights management, multiplayer and communications service created by Ubisoft to provide an experience similar to the achievements/trophies offered by various other game companies.

Description

Uplay for PC suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, making the entire directory 'Ubisoft Game Launcher' and its files and sub-dirs world-writable.

Vendor

Ubisoft Entertainment S.A. - <http://www.ubi.com>

Affected Version

4.6.3208 (PC)
4.5.2.3010 (PC)

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)

Vendor Status

[30.05.2014] Vulnerability discovered.
[30.05.2014] Vendor notified with details.
[01.06.2014] Vendor responds with confirmation.
[04.06.2014] Working with the vendor.
[03.07.2014] Vendor releases fixed version 4.6.1.3217 to address this issue.
[03.07.2014] Coordinated public security advisory released.

PoC

uplay_pe.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://forums.ubi.com/forumdisplay.php/513-Uplay>
[2] <http://cxsecurity.com/issue/WLB-2014070019>
[3] <http://osvdb.org/show/osvdb/108726>
[4] <http://www.exploit-db.com/exploits/33961/>
[5] <http://www.securityfocus.com/bid/68407>
[6] <http://1337day.com/exploit/22405>
[7] <http://packetstormsecurity.com/files/127355>
[8] <http://secunia.com/advisories/59472/>
[9] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-5453>
[10] <http://www.securiteam.com/securitynews/5EP340UEVA.html>

Changelog

[03.07.2014] - Initial release
[04.07.2014] - Added reference [3] and [4]
[05.07.2014] - Added reference [5] and [6]
[06.07.2014] - Added reference [7]
[18.07.2014] - Added reference [8]
[05.10.2014] - Added reference [9]
[20.02.2015] - Added reference [10]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;