49 lines
No EOL
1.8 KiB
Text
49 lines
No EOL
1.8 KiB
Text
|
|
Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation
|
|
|
|
|
|
Vendor: Ubisoft Entertainment S.A.
|
|
Product web page: http://www.ubi.com
|
|
Affected version: 5.0.0.3914 (PC)
|
|
|
|
Summary: Uplay is a digital distribution, digital rights management,
|
|
multiplayer and communications service created by Ubisoft to provide
|
|
an experience similar to the achievements/trophies offered by various
|
|
other game companies.
|
|
|
|
- Uplay PC is a desktop client which replaces individual game launchers
|
|
previously used for Ubisoft games. With Uplay PC, you have all your Uplay
|
|
enabled games and Uplay services in the same place and you get access to
|
|
a whole new set of features for your PC games.
|
|
|
|
Desc: Uplay for PC suffers from an elevation of privileges vulnerability
|
|
which can be used by a simple user that can change the executable file
|
|
with a binary of choice. The vulnerability exist due to the improper
|
|
permissions, with the 'F' flag (Full) for 'Users' group, making the
|
|
entire directory 'Ubisoft Game Launcher' and its files and sub-dirs
|
|
world-writable.
|
|
|
|
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2015-5230
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5230.php
|
|
|
|
Vendor: http://forums.ubi.com/forumdisplay.php/513-Uplay
|
|
|
|
|
|
19.02.2015
|
|
|
|
--
|
|
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>cacls Uplay.exe
|
|
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uplay.exe BUILTIN\Users:(ID)F
|
|
NT AUTHORITY\SYSTEM:(ID)F
|
|
BUILTIN\Administrators:(ID)F
|
|
test-PC\yousir:(ID)F
|
|
|
|
|
|
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher> |