Blizzard Update Agent – JSON RPC DNS Rebinding

  • 作者: Google Security Research
    日期: 2018-01-23
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/43879/
  • All blizzard games are installed alongside a shared tool called "Blizzard Update Agent", investor.activision.com claims they have "500 million monthly active users", who presumably all have this utility installed.
    
    The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc's are from a legitimate source, it looks like this:
    
    $ curl -si http://localhost:1120/agent
    HTTP/1.0 200 OK
    Content-Length: 359
    
    {
    "pid" : 3140.000000,
    "user_id" : "S-1-5-21-1613814707-140385463-2225822625-1000",
    "user_name" : "S-1-5-21-1613814707-140385463-2225822625-1000",
    "state" : 1004.000000,
    "version" : "2.13.4.5955",
    "region" : "us",
    "type" : "retail",
    "opt_in_feedback" : true,
    "session" : "15409717072196133548",
    "authorization" : "11A87920224BD1FB22AF5F868CA0E789"
    }
    
    This endpoint is permitted without authentication, but all other requests must have a valid "Authorization" header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property.
    
    I don't think this design will work because of an attack called "dns rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.
    
    To be clear, this means that *any* website can send privileged commands to the agent.
    
    I have a domain I use for testing called rbndr.us, you can use this page to generate hostnames:
    
    https://lock.cmpxchg8b.com/rebinder.html
    
    Here I want to alternate between 127.0.0.1 and 199.241.29.227, so I use 7f000001.c7f11de3.rbndr.us:
    
    $ host 7f000001.c7f11de3.rbndr.us
    7f000001.c7f11de3.rbndr.us has address 127.0.0.1
    $ host 7f000001.c7f11de3.rbndr.us
    7f000001.c7f11de3.rbndr.us has address 199.241.29.227
    $ host 7f000001.c7f11de3.rbndr.us
    7f000001.c7f11de3.rbndr.us has address 127.0.0.1
    
    Here you can see the resolution alternates between the two addresses I want (note that depending on caching it might take a while to switch, the TTL is set to minimum but some servers round up).
    
    I just wait for the cached response to expire, and then POST commands to the server.
    
    Exploitation would involve using network drives, or setting destination to "Downloads" and making the browser install dlls, datafiles, etc.
    
    I made a very simple demo, I'm sure it's quite brittle, but hopefully you get the idea!
    
    http://lock.cmpxchg8b.com/yah4od7N.html
    
    See screenshot attached of how it's supposed to look.
    
    Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43665.zip