← Advisories

Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation

Low
Advisory ID
ZSL-2015-5230
Release Date
25 February 2015
Vendor
Ubisoft Entertainment S.A. - http://www.ubi.com
Affected Version
5.0.0.3914 (PC)
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Summary

Uplay PC is a desktop client which replaces individual game launchers previously used for Ubisoft games. With Uplay PC, you have all your Uplay enabled games and Uplay services in the same place and you get access to a whole new set of features for your PC games.

Description

Uplay for PC suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Users' group, making the entire directory 'Ubisoft Game Launcher' and its files and sub-dirs world-writable.

Proof of Concept
uplay2_pe.txtTXT
Disclosure Timeline
19.02.2015Vulnerability discovered.
19.02.2015Vendor contacted with details sent.
20.02.2015Vendor replies and investigates.
20.02.2015Vendor confirms vulnerability.
24.02.2015Vendor plans to redesign the installer architecture and release new fixed version before the end of 2015.
25.02.2015Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Marc-André!
References
[1]http://forums.ubi.com/forumdisplay.php/513-Uplay
[2]https://www.zeroscience.mk/#/advisories/ZSL-2014-5191
[3]http://packetstormsecurity.com/files/130526
[4]http://cxsecurity.com/issue/WLB-2015020133
[5]http://www.exploit-db.com/exploits/36189/
[6]http://osvdb.org/show/osvdb/118804
[7]https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101198
[8]http://www.scip.ch/en/?vuldb.69234
Changelog
25.02.2015Initial release
02.03.2015Added reference [5] and [6]
12.03.2015Added reference [7]
14.03.2015Added reference [8]