Closed Bug 778686 Opened 11 years ago Closed 11 years ago

Blocklist npuplaypc.dll (uplaypc/Ubisoft Uplay) plugin

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: kinetik, Assigned: jorgev)

References

(
URL
)

Details

(Keywords: qawanted, sec-vector)

Attachments

(2 files)

Screenshot of plugin block dialog.
33.95 KB, image/png
Details
live blocklist.xml
25.33 KB, text/plain
Details 
taviso has revealed that the Ubisoft Uplay plugin can be used to run executables at arbitrary paths on the user's filesystem from script with the user's privileges.  See the full-disclosure link for more details.
http://pastehtml.com/view/c6gxl1a79.html reportedly contains a working POC for Firefox.
We should immediately stage a softblock for this plugin until an update is available, since exploiting this is trivial. Ubisoft has been informed by Tavis (and they are tracking it under #120729-000613), but it doesn't seem that an update is available yet.
Keywords: sec-vector
Platform scope is larger than flagged too.
I staged the block: https://addons-dev.allizom.org/en-US/firefox/blocked/p103. I need someone with this plugin to test the block using these instructions: https://wiki.mozilla.org/Blocklisting/Testing

This block works will all versions up to 2.03. According to this article: http://www.rockpapershotgun.com/2012/07/30/psa-possible-security-risk-in-some-ubisoft-pc-games/, version 2.04 was released to close this hole. Can someone verify this?
Assignee: nobody → jorge
Keywords: qawanted
I have the 2.03 installer. While the installed didn't manage to install the plugins , I extracted them from the NSIS installer package and put them in my System folder.

The plugins appear like so in about:plugins

Uplay PC

    File: C:\Windows\SysWOW64\npuplaypc.dll
    Version: 1.0.0.0
    Uplay PC Plugin

MIME Type 	Description 	Suffixes
application/x-uplaypc 	Uplay PC 	

Uplay PC Hub Plugin

    File: C:\Windows\SysWOW64\npuplaypchub.dll
    Version: 1.0.0.1
    0.3

MIME Type 	Description 	Suffixes
application/x-uplaypchub 	uplay_npapi 	foo

They have no version numbers. Furthermore, the link to the PoC does not produce any results on Win7 64 bit. Still, I'll install release and make sure the softblock works if it helps.
I installed release (14.0.1), created a new profile, verified the plugins were picked up by Fx, changed the blocklist URL and once I ran the code snippet to force a blocklist update I got a popup informing me about the block of Uplay PC, prompting me to restart.

Sorry for the bugspam, hope this was of help.
The plugin block is now in production: https://addons.mozilla.org/en-US/firefox/blocked/. I amended it so that it is a softblock, and the max version is now set to 1.0.0.0, since that's the current plugin version.

Please verify.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Attached file live blocklist.xml 
With the Uplay plugin enabled, and having created a new profile, forcing a blocklist ping results in no obvious effect. The blocklist.xml file updates normally as show by the file date modification attribute. Attached is the blocklist.xml as of 2 minutes ago. I couldn't find an entry for the Uplay plugin in it.
It might take an hour or two because of caching.
Yep, seems to work now.
Attachment #647254 - Attachment mime type: application/octet-stream → text/plain
[Tracking Requested - why for this release]:
tracking-b2g: --- → ?
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.