Ubisoft Uplay 5.0 – Insecure File Permissions Privilege Escalation

• Exploit Database
• 11 阅读

• 作者： LiquidWorm
  日期： 2015-02-26
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/36189/

• 
  Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation
  
  
  Vendor: Ubisoft Entertainment S.A.
  Product web page: http://www.ubi.com
  Affected version: 5.0.0.3914 (PC)
  
  Summary: Uplay is a digital distribution, digital rights management,
  multiplayer and communications service created by Ubisoft to provide
  an experience similar to the achievements/trophies offered by various
  other game companies.
  
   - Uplay PC is a desktop client which replaces individual game launchers
   previously used for Ubisoft games. With Uplay PC, you have all your Uplay
   enabled games and Uplay services in the same place and you get access to
   a whole new set of features for your PC games.
  
  Desc: Uplay for PC suffers from an elevation of privileges vulnerability
  which can be used by a simple user that can change the executable file
  with a binary of choice. The vulnerability exist due to the improper
  permissions, with the 'F' flag (Full) for 'Users' group, making the
  entire directory 'Ubisoft Game Launcher' and its files and sub-dirs
  world-writable.
  
  Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2015-5230
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5230.php
  
  Vendor: http://forums.ubi.com/forumdisplay.php/513-Uplay
  
  
  19.02.2015
  
  --
  C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>cacls Uplay.exe
  C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uplay.exe BUILTIN\Users:(ID)F
   NT AUTHORITY\SYSTEM:(ID)F
   BUILTIN\Administrators:(ID)F
   test-PC\yousir:(ID)F
  
  
  C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>