March 28th, 2019: Followed up with EA to see if there is anything they need.March 14th, 2019: EA acknowledged the vulnerability and assigned a case number.March 13th, 2019: Vulnerability sent to the EA security team.The Origin team re-wrote the Origin client to include a “Restricted” mode that places restrictive ACLs on all of the Origin files. This vulnerability has been fixed in 10.8. The service will fail to start since “Payload.exe” is not a service executable, but the service will start it and cmd.exe will be running as “NT AUTHORITY\SYSTEM”, resulting in elevation of privilege. With the DACL on “C:\Program Files (x86)\Origin\OriginWebHelperService.exe” overwritten, all that needs done to elevate privileges is to stop the Origin Web Helper Service, replace “C:\Program Files (x86)\Origin\OriginWebHelperService.exe” and then start the service again: Since a hardlink is in place, it will follow it and end up setting the DACL on “C:\Program Files (x86)\Origin\OriginWebHelperService.exe” instead: In this case, we are creating a hardlink that points to “C:\Program Files (x86)\Origin\OriginWebHelperService.exe” (using James Forshaw’s Symbolic Link Testing Tools)Īfter creating the hardlink, restarting the “Origin Client Service” service will cause it to try and set the DACL on “C:\ProgramData\Origin\local.xml” to grant “FullControl” rights to the “AuthenticatedUsers” group. Since a low privileged user has control of that file, its possible to delete it and replace it with a hardlink that points to a privileged file. If it doesn’t, it will create it and then set the file’s security descriptor to grant Everyone GENERIC_ALL over the file: When restarting the Origin Client Service, it checks to see if “C:\ProgramData\Origin\local.xml” exists. This service can be stopped and started by low privileged users: One such service is the “Origin Client Service”.
When Origin is installed, it comes with a few different services. Since a low privileged user has rights to this file, it is possible to create a hardlink on “C:\ProgramData\Origin\local.xml” and point it to another file, resulting in the target file having “FullControl” rights granted to the “Everyone” group.Ī low privileged user can use this to overwrite the DACL on privileged files, resulting in elevation of privilege to “NT AUTHORITY\SYSTEM”. If this file doesn’t exist, it creates it and grants the “Everyone” group “FullControl” over the file. When the Origin Client service starts, it checks for the existence of “C:\ProgramData\Origin\local.xml”.
This service can be stopped and started by low privileged users. Vulnerability: Origin Client Service DACL Overwrite Elevation of Privilegeīrief Description: When Origin is installed, it comes with a few different services, such as the “Origin Client Service”.
Version: Origin Client version 10.2-0 ( )
0 kommentar(er)
