← Advisories

Ubisoft Uplay 4.6 Insecure File Permissions Local Privilege Escalation

Low
Advisory ID
ZSL-2014-5191
Release Date
03 July 2014
Vendor
Ubisoft Entertainment S.A. - http://www.ubi.com
Affected Version
4.6.3208 (PC), 4.5.2.3010 (PC)
CVE
CVE-2014-5453
Tested On
Microsoft Windows 7 Professional SP1 (EN), Microsoft Windows 7 Ultimate SP1 (EN)
Summary

Uplay is a digital distribution, digital rights management, multiplayer and communications service created by Ubisoft to provide an experience similar to the achievements/trophies offered by various other game companies.

Description

Uplay for PC suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, making the entire directory 'Ubisoft Game Launcher' and its files and sub-dirs world-writable.

Proof of Concept
uplay_pe.txtTXT
Disclosure Timeline
30.05.2014Vulnerability discovered.
30.05.2014Vendor notified with details.
01.06.2014Vendor responds with confirmation.
04.06.2014Working with the vendor.
03.07.2014Vendor releases fixed version 4.6.1.3217 to address this issue.
03.07.2014Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://forums.ubi.com/forumdisplay.php/513-Uplay
[2]http://cxsecurity.com/issue/WLB-2014070019
[3]http://osvdb.org/show/osvdb/108726
[4]http://www.exploit-db.com/exploits/33961/
[5]http://www.securityfocus.com/bid/68407
[6]http://1337day.com/exploit/22405
[7]http://packetstormsecurity.com/files/127355
[8]http://secunia.com/advisories/59472/
[9]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-5453
[10]http://www.securiteam.com/securitynews/5EP340UEVA.html
Changelog
03.07.2014Initial release
04.07.2014Added reference [3] and [4]
05.07.2014Added reference [5] and [6]
06.07.2014Added reference [7]
18.07.2014Added reference [8]
05.10.2014Added reference [9]
20.02.2015Added reference [10]