Uplay 92.0.0.6280 - Local Privilege Escalation

vendor:

Uplay

by:

Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi

7.5

CVSS

HIGH

Local Privilege Escalation

264

CWE

Product Name: Uplay

Affected Version From: 92.0.0.6280

Affected Version To: 92.0.0.6280

Patch Exists: NO

Related CWE:

CPE: a:ubisoft:uplay:92.0.0.6280

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 x64

2019

Uplay 92.0.0.6280 – Local Privilege Escalation

"C:Program Files (x86)UbisoftUbisoft Game Launcher" has insecure permissions that allow all BUILTIN-USER to have full permission. An attacker can replace the vulnerable executable file with a malicious file.

Mitigation:

Apply proper permissions to the "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" directory to restrict access to privileged users only. Regularly update Uplay software to the latest version.

Source

Exploit-DB raw data:

# Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation
# Date: 2019-08-07
# Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi
# Vendor Homepage: https://uplay.ubisoft.com/
# Version: 92.0.0.6280
# Tested on: Windows 10 x64
# CVE : N/A

# Vulnerability Description: "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" has in secure permission 
# that allows all BUILTIN-USER has full permission. An attacker replace the 
# vulnerability execute file with malicious file.

///////////////////////
   Proof of Concept
///////////////////////

C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher"
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher BUILTIN\Users:(F)
                                                     BUILTIN\Users:(OI)(CI)(IO)(F)
                                                     NT SERVICE\TrustedInstaller:(I)(F)
                                                     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                                     NT AUTHORITY\SYSTEM:(I)(F)
                                                     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                                     BUILTIN\Administrators:(I)(F)
                                                     BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                                     BUILTIN\Users:(I)(RX)
                                                     BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                                     CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)




Vulnerability Disclosure Timeline:
==================================
07 Aug, 19 : Found Vulnerability
07 Aug, 19 : Vendor Notification
14 Aug, 19 : Vendor Response
18 Sep, 19 : Vendor Fixed
18 Sep, 19  : Vendor released new patched