Ubisoft Uplay 4.6 Insecure File Permission Local Privilege Escalation Vulnerability

Ubisoft Uplay 4.6 Insecure File Permission Local Privilege Escalation Vulnerability

Release date:
Updated on:

Affected Systems:
Ubisoft Entertainment UPLAY 4.6.3208 (PC)
Ubisoft Entertainment UPLAY 4.5.2.3010 (PC) Description:
Bugtraq id: 68407
CVE (CAN) ID: CVE-2014-5453
Uplay is a digital distribution, data copyright management, multi-player, communication service.
Ubisoft Uplay sets the 'F' flag (Full) for the 'everone' group, and there is an insecure file permission vulnerability in implementation, this allows the entire 'ubisoft Game Launcher 'directory and its files and subdirectories to be globally writable. Local attackers can exploit this vulnerability to use binary files to change executable files and obtain elevated permissions.
Liquidworm@gmail.com)
*>

Test method:
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk! Ubisoft Uplay 4.6 Insecure File Permissions Local Privilege Escalation
Vendor: Ubisoft Entertainment S..
Product web page: http://www.ubi.com
Affected version: 4.6.3208 (PC)
4.5.2.3010 (PC)
Summary: Uplay is a digital distribution, digital rights management,
Multiplayer and communications service created by Ubisoft to provide
An experience similar to the achievements/trophies offered by various
Other game companies.
-Uplay PC is a desktop client which replaces individual game launchers
Previusly used for Ubisoft games. With Uplay PC, you have all your Uplay
Enabled games and Uplay services in the same place and you get access
A whole new set of features for your PC games.
Desc: Uplay for PC suffers from an elevation of privileges vulnerability
Which can be used by a simple user that can change the executable file
With a binary of choice. The vulnerability exist due to the improper
Permissions, with the 'F' flag (Full) for 'everone' group, making
Entire directory 'ubisoft Game Launcher 'and its files and sub-dirs
World-writable.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'liquidworm' Krstic
@ Zeroscience
Advisory ID: ZSL-2014-5191
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5191.php
Vendor: http://forums.ubi.com/forumdisplay.php/513-Uplay
302.165.2014
--
========================================================== ====================================
C: \ Program Files (x86) \ Ubisoft Game Launcher> icacls *. exe | findstr Everyone
UbisoftGameLauncher.exe Everyone :( I) (F)
UbisoftGameLauncher64.exe Everyone :( I) (F)
Uninstall.exe Everyone :( I) (F)
Uplay.exe Everyone :( I) (F)
UplayCrashReporter.exe Everyone :( I) (F)
UplayService.exe Everyone :( I) (F)
C: \ Program Files (x86) \ Ubisoft Game Launcher>
========================================================== ====================================
C: \ Program Files (x86) \ Ubisoft Game Launcher> icacls Uplay.exe
Uplay.exe Everyone :( I) (F)
Nt authority \ SYSTEM :( I) (F)
BUILTIN \ Administrators :( I) (F)
BUILTIN \ Users :( I) (RX)
Successfully processed 1 files; Failed processing 0 files
C: \ Program Files (x86) \ Ubisoft Game Launcher>
========================================================== ====================================
C: \ Program Files (x86) \ Ubisoft Game Launcher> icacls *. exe | findstr (F)
UbisoftGameLauncher.exe Everyone :( I) (F)
Nt authority \ SYSTEM :( I) (F)
BUILTIN \ Administrators :( I) (F)
UbisoftGameLauncher64.exe Everyone :( I) (F)
Nt authority \ SYSTEM :( I) (F)
BUILTIN \ Administrators :( I) (F)
Uninstall.exe Everyone :( I) (F)
Nt authority \ SYSTEM :( I) (F)
BUILTIN \ Administrators :( I) (F)
Uplay.exe Everyone :( I) (F)
Nt authority \ SYSTEM :( I) (F)
BUILTIN \ Administrators :( I) (F)
UplayCrashReporter.exe Everyone :( I) (F)
Nt authority \ SYSTEM :( I) (F)
BUILTIN \ Administrators :( I) (F)
UplayService.exe Everyone :( I) (F)
Nt authority \ SYSTEM :( I) (F)
BUILTIN \ Administrators :( I) (F)
C: \ Program Files (x86) \ Ubisoft Game Launcher>
========================================================== ====================================
C: \ Program Files (x86) \ Ubisoft> icacls "Ubisoft Game Launcher"
Ubisoft Game Launcher Everyone :( OI) (CI) (F)
Nt service \ TrustedInstaller :( I) (F)
Nt service \ TrustedInstaller :( I) (CI) (IO) (F)
Nt authority \ SYSTEM :( I) (F)
Nt authority \ SYSTEM :( I) (OI) (CI) (IO) (F)
BUILTIN \ Administrators :( I) (F)
BUILTIN \ Administrators :( I) (OI) (CI) (IO) (F)
BUILTIN \ Users :( I) (RX)
BUILTIN \ Users :( I) (OI) (CI) (IO) (GR, GE)
Creator owner :( I) (OI) (CI) (IO) (F)
Successfully processed 1 files; Failed processing 0 files
C: \ Program Files (x86) \ Ubisoft>
========================================================== ====================================
========================================================== ====================================
Changed permissions (vendor fix ):
---------------------------------
C: \ Program Files (x86) \ Ubisoft Game Launcher> cacls Uplay.exe
C: \ Program Files (x86) \ Ubisoft Game Launcher \ Uplay.exe BUILTIN \ Users :( ID) (special access :)
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
STANDARD_RIGHTS_REQUIRED
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
Nt authority \ SYSTEM :( ID) F
BUILTIN \ Administrators :( ID) F
BUILTIN \ Users :( ID) R
Labpc \ user4dmin :( ID) F
C: \ Program Files (x86) \ Ubisoft Game Launcher>
========================================================== ====================================
Suggestion:
Vendor patch:
Ubisoft Entertainment
---------------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://forums.ubi.com/forumdisplay.php/513-Uplay

This article permanently updates the link address: