Ubisoft Uplay 4.6不安全文件权限本地权限提升漏洞


发布日期:2014-01-01
更新日期:2014-09-01

受影响系统:
Ubisoft Entertainment UPLAY 4.6.3208 (PC)
Ubisoft Entertainment UPLAY 4.5.2.3010 (PC)描述:
BUGTRAQ ID: 68407
CVE(CAN) ID: CVE-2014-5453
Uplay是数字发行、数据版权管理、多玩家、通信服务。
Ubisoft Uplay对'Everyone'组设置了'F'旗标(Full),在实现上存在不安全的文件权限漏洞,这可使整个'Ubisoft Game Launcher'目录及其文件和子目录全局可写,本地攻击者可利用此漏洞用二进制文件更改可执行文件并获取提升的权限。
liquidworm@gmail.com)
*>

测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Ubisoft Uplay 4.6 Insecure File Permissions Local Privilege Escalation
Vendor: Ubisoft Entertainment S.A.
Product web page: http://www.ubi.com
Affected version: 4.6.3208 (PC)
4.5.2.3010 (PC)
Summary: Uplay is a digital distribution, digital rights management,
multiplayer and communications service created by Ubisoft to provide
an experience similar to the achievements/trophies offered by various
other game companies.
- Uplay PC is a desktop client which replaces individual game launchers
previously used for Ubisoft games. With Uplay PC, you have all your Uplay
enabled games and Uplay services in the same place and you get access to
a whole new set of features for your PC games.
Desc: Uplay for PC suffers from an elevation of privileges vulnerability
which can be used by a simple user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper
permissions, with the 'F' flag (Full) for 'Everyone' group, making the
entire directory 'Ubisoft Game Launcher' and its files and sub-dirs
world-writable.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5191
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5191.php
Vendor: http://forums.ubi.com/forumdisplay.php/513-Uplay
30.05.2014
--
=======================================================================
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls *.exe |findstr Everyone
UbisoftGameLauncher.exe Everyone:(I)(F)
UbisoftGameLauncher64.exe Everyone:(I)(F)
Uninstall.exe Everyone:(I)(F)
Uplay.exe Everyone:(I)(F)
UplayCrashReporter.exe Everyone:(I)(F)
UplayService.exe Everyone:(I)(F)
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>
=======================================================================
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls Uplay.exe
Uplay.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>
=======================================================================
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls *.exe |findstr (F)
UbisoftGameLauncher.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
UbisoftGameLauncher64.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
Uninstall.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
Uplay.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
UplayCrashReporter.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
UplayService.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>
=======================================================================
C:\Program Files (x86)\Ubisoft>icacls "Ubisoft Game Launcher"
Ubisoft Game Launcher Everyone:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
C:\Program Files (x86)\Ubisoft>
=======================================================================
=======================================================================
Changed permissions (vendor fix):
---------------------------------
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>cacls Uplay.exe
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uplay.exe BUILTIN\Users:(ID)(special access:)
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
STANDARD_RIGHTS_REQUIRED
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
labpc\user4dmin:(ID)F
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>
=======================================================================
建议:
厂商补丁:
Ubisoft Entertainment
---------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://forums.ubi.com/forumdisplay.php/513-Uplay

本文永久更新链接地址:

相关内容

    暂无相关文章