Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation

2015.02.25
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

? Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation Vendor: Ubisoft Entertainment S.A. Product web page: http://www.ubi.com Affected version: 5.0.0.3914 (PC) Summary: Uplay is a digital distribution, digital rights management, multiplayer and communications service created by Ubisoft to provide an experience similar to the achievements/trophies offered by various other game companies. - Uplay PC is a desktop client which replaces individual game launchers previously used for Ubisoft games. With Uplay PC, you have all your Uplay enabled games and Uplay services in the same place and you get access to a whole new set of features for your PC games. Desc: Uplay for PC suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Users' group, making the entire directory 'Ubisoft Game Launcher' and its files and sub-dirs world-writable. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5230 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5230.php Vendor: http://forums.ubi.com/forumdisplay.php/513-Uplay 19.02.2015 -- C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>cacls Uplay.exe C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uplay.exe BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F test-PC\yousir:(ID)F C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5230.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top