Epic Games Launcher 7.9.4-4058369 Insecure File Permissions


Vendor: Epic Games, Inc.
Product web page: https://www.epicgames.com
Affected version: 7.9.4-4058369
                  7.9.3-4051644
                  7.9.2
                  7.9.1-4016505
                  7.8.0-3988049
                  7.7.0


Summary: Epic Games Launcher is a shareware desktop tool that
allows you to buy and download games and other products from
Epic Games. Through this program, you can get games like Fortnite,
Unreal Tournament, Shadow Complex, and Paragon. Also, you can
download tools like Unreal Engine and ARK Dev Kit. The program
includes a social feature that allows you to add friends, change
your status, and more.

Desc: The Epic Games Launcher suffers from an elevation
of privileges vulnerability which can be used by a simple
authenticated user that can change the executable file
with a binary of choice. The vulnerability exist due to
the improper permissions, with the 'F' flag (Full) for
'Users' group.

Tested on: Microsoft Windows 10 Home


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2018-5468
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5468.php


10.04.2018

--


C:\Program Files (x86)\Epic Games\Launcher\Engine\Binaries\Win64>icacls EpicGamesLauncher.exe
EpicGamesLauncher.exe BUILTIN\Users:(I)(F)
                      NT AUTHORITY\SYSTEM:(I)(F)
                      BUILTIN\Administrators:(I)(F)
                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                      APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\Program Files (x86)\Epic Games\Launcher\Engine\Binaries\Win64>


----------------------


C:\Program Files (x86)\Epic Games>cacls Launcher
C:\Program Files (x86)\Epic Games\Launcher BUILTIN\Users:(OI)(CI)(ID)F
                                           NT SERVICE\TrustedInstaller:(ID)F
                                           NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
                                           NT AUTHORITY\SYSTEM:(ID)F
                                           NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                           BUILTIN\Administrators:(ID)F
                                           BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                           BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
                                                                         GENERIC_READ
                                                                         GENERIC_EXECUTE

                                           CREATOR OWNER:(OI)(CI)(IO)(ID)F
                                           APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
                                           APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(ID)(special access:)
                                                                                                                  GENERIC_READ
                                                                                                                  GENERIC_EXECUTE

                                           APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
                                           APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(ID)(special access:)
                                                                                                                             GENERIC_READ
                                                                                                                             GENERIC_EXECUTE