Epic Games Launcher 7.9.4-4058369 Insecure File Permissions

2018.05.22
Credit: LiquidWorm
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Epic Games Launcher 7.9.4-4058369 Insecure File Permissions Vendor: Epic Games, Inc. Product web page: https://www.epicgames.com Affected version: 7.9.4-4058369 7.9.3-4051644 7.9.2 7.9.1-4016505 7.8.0-3988049 7.7.0 Summary: Epic Games Launcher is a shareware desktop tool that allows you to buy and download games and other products from Epic Games. Through this program, you can get games like Fortnite, Unreal Tournament, Shadow Complex, and Paragon. Also, you can download tools like Unreal Engine and ARK Dev Kit. The program includes a social feature that allows you to add friends, change your status, and more. Desc: The Epic Games Launcher suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Users' group. Tested on: Microsoft Windows 10 Home Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2018-5468 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5468.php 10.04.2018 -- C:\Program Files (x86)\Epic Games\Launcher\Engine\Binaries\Win64>icacls EpicGamesLauncher.exe EpicGamesLauncher.exe BUILTIN\Users:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) Successfully processed 1 files; Failed processing 0 files C:\Program Files (x86)\Epic Games\Launcher\Engine\Binaries\Win64> ---------------------- C:\Program Files (x86)\Epic Games>cacls Launcher C:\Program Files (x86)\Epic Games\Launcher BUILTIN\Users:(OI)(CI)(ID)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:) GENERIC_READ GENERIC_EXECUTE CREATOR OWNER:(OI)(CI)(IO)(ID)F APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(ID)(special access:) GENERIC_READ GENERIC_EXECUTE APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(ID)(special access:) GENERIC_READ GENERIC_EXECUTE


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top