header-logo
Suggest Exploit
vendor:
Uplay
by:
Gjoko 'LiquidWorm' Krstic
7.2
CVSS
HIGH
Insecure File Permissions
732
CWE
Product Name: Uplay
Affected Version From: 5.0.0.3914
Affected Version To: 5.0.0.3914
Patch Exists: NO
Related CWE: N/A
CPE: a:ubisoft:uplay:5.0.0.3914
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft Windows 7 Ultimate SP1 (EN)
2015

Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation

Uplay for PC suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Users' group, making the entire directory 'Ubisoft Game Launcher' and its files and sub-dirs world-writable.

Mitigation:

Ensure that the permissions of the files and directories are set to the least privilege required for the application to function properly.
Source

Exploit-DB raw data:


Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation


Vendor: Ubisoft Entertainment S.A.
Product web page: http://www.ubi.com
Affected version: 5.0.0.3914 (PC)

Summary: Uplay is a digital distribution, digital rights management,
multiplayer and communications service created by Ubisoft to provide
an experience similar to the achievements/trophies offered by various
other game companies.

 - Uplay PC is a desktop client which replaces individual game launchers
 previously used for Ubisoft games. With Uplay PC, you have all your Uplay
 enabled games and Uplay services in the same place and you get access to
 a whole new set of features for your PC games.

Desc: Uplay for PC suffers from an elevation of privileges vulnerability
which can be used by a simple user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper
permissions, with the 'F' flag (Full) for 'Users' group, making the
entire directory 'Ubisoft Game Launcher' and its files and sub-dirs
world-writable.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5230
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5230.php

Vendor: http://forums.ubi.com/forumdisplay.php/513-Uplay


19.02.2015

--
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>cacls Uplay.exe
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uplay.exe BUILTIN\Users:(ID)F
                                                               NT AUTHORITY\SYSTEM:(ID)F
                                                               BUILTIN\Administrators:(ID)F
                                                               test-PC\yousir:(ID)F


C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>

Navigation

Suggest Exploit

Services By CQR