首页 / 操作系统 / Linux / Ubisoft Uplay 4.6不安全文件权限本地权限提升漏洞
发布日期:2014-01-01 更新日期:2014-09-01受影响系统: Ubisoft Entertainment UPLAY 4.6.3208 (PC) Ubisoft Entertainment UPLAY 4.5.2.3010 (PC)描述: BUGTRAQ ID: 68407 CVE(CAN) ID: CVE-2014-5453 Uplay是数字发行、数据版权管理、多玩家、通信服务。 Ubisoft Uplay对"Everyone"组设置了"F"旗标(Full),在实现上存在不安全的文件权限漏洞,这可使整个"Ubisoft Game Launcher"目录及其文件和子目录全局可写,本地攻击者可利用此漏洞用二进制文件更改可执行文件并获取提升的权限。 liquidworm@gmail.com) *>测试方法: 警 告 以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Ubisoft Uplay 4.6 Insecure File Permissions Local Privilege Escalation Vendor: Ubisoft Entertainment S.A. Product web page: http://www.ubi.com Affected version: 4.6.3208 (PC) 4.5.2.3010 (PC) Summary: Uplay is a digital distribution, digital rights management, multiplayer and communications service created by Ubisoft to provide an experience similar to the achievements/trophies offered by various other game companies. - Uplay PC is a desktop client which replaces individual game launchers previously used for Ubisoft games. With Uplay PC, you have all your Uplay enabled games and Uplay services in the same place and you get access to a whole new set of features for your PC games. Desc: Uplay for PC suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the "F" flag (Full) for "Everyone" group, making the entire directory "Ubisoft Game Launcher" and its files and sub-dirs world-writable. Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko "LiquidWorm" Krstic @zeroscience Advisory ID: ZSL-2014-5191 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5191.php Vendor: http://forums.ubi.com/forumdisplay.php/513-Uplay 30.05.2014 -- ======================================================================= C:Program Files (x86)UbisoftUbisoft Game Launcher>icacls *.exe |findstr Everyone UbisoftGameLauncher.exe Everyone:(I)(F) UbisoftGameLauncher64.exe Everyone:(I)(F) Uninstall.exe Everyone:(I)(F) Uplay.exe Everyone:(I)(F) UplayCrashReporter.exe Everyone:(I)(F) UplayService.exe Everyone:(I)(F) C:Program Files (x86)UbisoftUbisoft Game Launcher> ======================================================================= C:Program Files (x86)UbisoftUbisoft Game Launcher>icacls Uplay.exe Uplay.exe Everyone:(I)(F) NT AUTHORITYSYSTEM:(I)(F) BUILTINAdministrators:(I)(F) BUILTINUsers:(I)(RX) Successfully processed 1 files; Failed processing 0 files C:Program Files (x86)UbisoftUbisoft Game Launcher> ======================================================================= C:Program Files (x86)UbisoftUbisoft Game Launcher>icacls *.exe |findstr (F) UbisoftGameLauncher.exe Everyone:(I)(F) NT AUTHORITYSYSTEM:(I)(F) BUILTINAdministrators:(I)(F) UbisoftGameLauncher64.exe Everyone:(I)(F) NT AUTHORITYSYSTEM:(I)(F) BUILTINAdministrators:(I)(F) Uninstall.exe Everyone:(I)(F) NT AUTHORITYSYSTEM:(I)(F) BUILTINAdministrators:(I)(F) Uplay.exe Everyone:(I)(F) NT AUTHORITYSYSTEM:(I)(F) BUILTINAdministrators:(I)(F) UplayCrashReporter.exe Everyone:(I)(F) NT AUTHORITYSYSTEM:(I)(F) BUILTINAdministrators:(I)(F) UplayService.exe Everyone:(I)(F) NT AUTHORITYSYSTEM:(I)(F) BUILTINAdministrators:(I)(F) C:Program Files (x86)UbisoftUbisoft Game Launcher> ======================================================================= C:Program Files (x86)Ubisoft>icacls "Ubisoft Game Launcher" Ubisoft Game Launcher Everyone:(OI)(CI)(F) NT SERVICETrustedInstaller:(I)(F) NT SERVICETrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITYSYSTEM:(I)(F) NT AUTHORITYSYSTEM:(I)(OI)(CI)(IO)(F) BUILTINAdministrators:(I)(F) BUILTINAdministrators:(I)(OI)(CI)(IO)(F) BUILTINUsers:(I)(RX) BUILTINUsers:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files C:Program Files (x86)Ubisoft> ======================================================================= ======================================================================= Changed permissions (vendor fix): --------------------------------- C:Program Files (x86)UbisoftUbisoft Game Launcher>cacls Uplay.exe C:Program Files (x86)UbisoftUbisoft Game LauncherUplay.exe BUILTINUsers:(ID)(special access:) DELETE READ_CONTROL WRITE_DAC WRITE_OWNER STANDARD_RIGHTS_REQUIRED FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_EXECUTE NT AUTHORITYSYSTEM:(ID)F BUILTINAdministrators:(ID)F BUILTINUsers:(ID)R labpcuser4dmin:(ID)F C:Program Files (x86)UbisoftUbisoft Game Launcher> ======================================================================= 建议: 厂商补丁: Ubisoft Entertainment --------------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://forums.ubi.com/forumdisplay.php/513-Uplay
易网时代-编程资源站