taviso has revealed that the Ubisoft Uplay plugin can be used to run executables at arbitrary paths on the user's filesystem from script with the user's privileges. See the full-disclosure link for more details.
http://pastehtml.com/view/c6gxl1a79.html reportedly contains a working POC for Firefox.
We should immediately stage a softblock for this plugin until an update is available, since exploiting this is trivial. Ubisoft has been informed by Tavis (and they are tracking it under #120729-000613), but it doesn't seem that an update is available yet.
Platform scope is larger than flagged too.
I staged the block: https://addons-dev.allizom.org/en-US/firefox/blocked/p103. I need someone with this plugin to test the block using these instructions: https://wiki.mozilla.org/Blocklisting/Testing This block works will all versions up to 2.03. According to this article: http://www.rockpapershotgun.com/2012/07/30/psa-possible-security-risk-in-some-ubisoft-pc-games/, version 2.04 was released to close this hole. Can someone verify this?
I have the 2.03 installer. While the installed didn't manage to install the plugins , I extracted them from the NSIS installer package and put them in my System folder. The plugins appear like so in about:plugins Uplay PC File: C:\Windows\SysWOW64\npuplaypc.dll Version: 22.214.171.124 Uplay PC Plugin MIME Type Description Suffixes application/x-uplaypc Uplay PC Uplay PC Hub Plugin File: C:\Windows\SysWOW64\npuplaypchub.dll Version: 126.96.36.199 0.3 MIME Type Description Suffixes application/x-uplaypchub uplay_npapi foo They have no version numbers. Furthermore, the link to the PoC does not produce any results on Win7 64 bit. Still, I'll install release and make sure the softblock works if it helps.
I installed release (14.0.1), created a new profile, verified the plugins were picked up by Fx, changed the blocklist URL and once I ran the code snippet to force a blocklist update I got a popup informing me about the block of Uplay PC, prompting me to restart. Sorry for the bugspam, hope this was of help.
The plugin block is now in production: https://addons.mozilla.org/en-US/firefox/blocked/. I amended it so that it is a softblock, and the max version is now set to 188.8.131.52, since that's the current plugin version. Please verify.
Created attachment 647254 [details] live blocklist.xml With the Uplay plugin enabled, and having created a new profile, forcing a blocklist ping results in no obvious effect. The blocklist.xml file updates normally as show by the file date modification attribute. Attached is the blocklist.xml as of 2 minutes ago. I couldn't find an entry for the Uplay plugin in it.
It might take an hour or two because of caching.
Yep, seems to work now.
Discussed on the interwebs: * https://news.ycombinator.com/item?id=4311264 * http://www.reddit.com/r/Games/comments/xe7pd/fix_released_for_ubisofts_uplay_security_hole/ * http://www.reddit.com/r/technology/comments/xdwqk/ubisoft_uplay_drm_backdoor_allows_any_web_page_to/ * http://www.reddit.com/r/Games/comments/xdsu5/ubisoft_uplay_drm_exposed_as_rootkit_dozens_of/ Patched by Ubi: * http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix * https://twitter.com/UplayUbisoft/status/229995801949134848
[Tracking Requested - why for this release]: