9/19/2023 0 Comments Origin client service cant startSome more investigations and I figured out that game was not installed by Origin client, service with name «Origin Client Service» installed it. I checked ACL of «C:\Program Files» – anything was normal: non-writeable for ordinal users. Suddenly I realize reason of my disturbance: game installed to «C:\Program Files\GameName», but Origin did not ask any UAC-question while installing. Some clicks, waited for download finished and game was ready to start. The process was so good and smooth, so it was very suspicious. It shows why it is hard to proper use of cryptography.Īll started when I install one game on Origin. By the way, Matt Nelson reported the same vulnerability, read his writeup. The major problems are to find a target program and write the dll. Interesting and exotic method - reading the hash of administrator’s password via unusual behavior of some functions. In fact, this is a widespread mechanism, so there are many available targets. «LogonUI.exe» (a program running as «NT AUTHORITY\SYSTEM», used by Windows for lockscreen and user selection screen), will load a library from path «C:\Windows\system32\ \amd64_-controls_6595b64144ccf1df_4.648_none_fb45a0e93062a6d2\comctl32.dll» due to special dll loading mechanism «.local-redirection» («dotlocal redirection»). Let me mention some of them.Įasy and reliable method - create directory «C:\Windows\system32\». Let us move on the next point.Įxploitation of arbitrary directory creation Moreover, it grants ACL «Everyone-Full control» for the folder.įrom here, an arbitrary folder was created as we wished. Service creates «C:\Path\To\ Target\Folder», due to redirections. The one detects an absence of the directory «C:\ProgramData\Origin\CatalogCache» and tries to create it. The client starts «Origin Client Service» service. In addition, this repo contains binaries for many tools. Via a combination of the links, any access to «C:\ProgramData\Origin\CatalogCache» will be redirected to «C:\Path\To\Target\Folder». Creating file-to-file symlinks requires administrator rights, but symlinks from object directory do not have such restriction. Now we create a symbolic link like «\RPC Control\CatalogCache» «C:\Path\To\Target\Folder». It cannot be viewed in the explorer, but the directory can be a target of the reparse point (it seems to be so, due to the common abstractions in the underlying Windows internals). «\RPC Control» - is not an ordinary folder, this is a special type of folders - an object directory. There are two requirements – the folder must be empty and the folder must be writable by a user (the folder was flushed on the previous step and rights were checked too). Reparse points creation does not require administrator rights. The first link is NTFS Reparse Point (NTFS Mount Point) - this kind of links redirect one folder to another: «C:\ProgramData\Origin» «\RPC Control». Terminate Origin client and stop «Origin Client Service» service (in fact, the service shutdowns itself after the program, so it is mentioned just in case).ĭirectory «C:\ProgramData\Origin» has explicit rights «Everyone-Full control». The second one was quite interesting, so I have shown in details how I have been finding it out.ġ) Arbitrary directory creation (with ACL «Everyone-Full control») Ģ) Obtain NT AUTHORITY\SYSTEM via 1 part. The first vulnerability is rather boring, so I briefly described it in the next section. In this case, we are talking about two “typical” escalation – from any user to «NT AUTHORITY/SYSTEM» (an account that has maximum permissions in the OS). These vulnerabilities allow any OS Windows user to obtain additional rights, which was not supposed to be given by default. I have found two «escalation of privilege» vulnerabilities (lpe – local privilege escalation and eop – escalation of privileges) in Origin Windows client. It was very easy for me to guide a project, special thanks to Adrian Stone, Elise Murphy and other EA employees who were also working with my reports. ![]() None of my e-mails was ignored even for a little discussion, the team organized a conference call. When I made a first contact, I was given a registration number all the reports were thoroughly examined and confirmed. security department was originally on a professional level. There will not be any «lock/unlock account» games this time – the communication history with the Electronic Arts Inc. ![]() In this article, I shown the vulnerabilities of a similar product – Origin Client – which is also a game launcher. Last time, in a small three-article cycle, I told about the vulnerabilities in Steam Client ( 1, 2, 3). ![]() I send my greetings to everyone who has decided to read my new article with vulnerability analysis.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |