The default bug view has changed. See this FAQ.

Blocklist npuplaypc.dll (uplaypc/Ubisoft Uplay) plugin

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
--
blocker
RESOLVED FIXED
5 years ago
a year ago

People

(Reporter: kinetik, Assigned: jorgev)

Tracking

({qawanted, sec-vector})

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
taviso has revealed that the Ubisoft Uplay plugin can be used to run executables at arbitrary paths on the user's filesystem from script with the user's privileges.  See the full-disclosure link for more details.

Comment 1

5 years ago
http://pastehtml.com/view/c6gxl1a79.html reportedly contains a working POC for Firefox.
We should immediately stage a softblock for this plugin until an update is available, since exploiting this is trivial. Ubisoft has been informed by Tavis (and they are tracking it under #120729-000613), but it doesn't seem that an update is available yet.
Keywords: sec-vector
Severity: normal → blocker
Platform scope is larger than flagged too.
(Assignee)

Comment 4

5 years ago
I staged the block: https://addons-dev.allizom.org/en-US/firefox/blocked/p103. I need someone with this plugin to test the block using these instructions: https://wiki.mozilla.org/Blocklisting/Testing

This block works will all versions up to 2.03. According to this article: http://www.rockpapershotgun.com/2012/07/30/psa-possible-security-risk-in-some-ubisoft-pc-games/, version 2.04 was released to close this hole. Can someone verify this?
Assignee: nobody → jorge
Keywords: qawanted

Comment 5

5 years ago
I have the 2.03 installer. While the installed didn't manage to install the plugins , I extracted them from the NSIS installer package and put them in my System folder.

The plugins appear like so in about:plugins

Uplay PC

    File: C:\Windows\SysWOW64\npuplaypc.dll
    Version: 1.0.0.0
    Uplay PC Plugin

MIME Type 	Description 	Suffixes
application/x-uplaypc 	Uplay PC 	

Uplay PC Hub Plugin

    File: C:\Windows\SysWOW64\npuplaypchub.dll
    Version: 1.0.0.1
    0.3

MIME Type 	Description 	Suffixes
application/x-uplaypchub 	uplay_npapi 	foo

They have no version numbers. Furthermore, the link to the PoC does not produce any results on Win7 64 bit. Still, I'll install release and make sure the softblock works if it helps.

Comment 6

5 years ago
I installed release (14.0.1), created a new profile, verified the plugins were picked up by Fx, changed the blocklist URL and once I ran the code snippet to force a blocklist update I got a popup informing me about the block of Uplay PC, prompting me to restart.

Sorry for the bugspam, hope this was of help.

Comment 7

5 years ago
Created attachment 647196 [details]
Screenshot of plugin block dialog.
(Assignee)

Comment 8

5 years ago
The plugin block is now in production: https://addons.mozilla.org/en-US/firefox/blocked/. I amended it so that it is a softblock, and the max version is now set to 1.0.0.0, since that's the current plugin version.

Please verify.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Comment 9

5 years ago
Created attachment 647254 [details]
live blocklist.xml

With the Uplay plugin enabled, and having created a new profile, forcing a blocklist ping results in no obvious effect. The blocklist.xml file updates normally as show by the file date modification attribute. Attached is the blocklist.xml as of 2 minutes ago. I couldn't find an entry for the Uplay plugin in it.
(Assignee)

Comment 10

5 years ago
It might take an hour or two because of caching.

Comment 11

5 years ago
Yep, seems to work now.
Attachment #647254 - Attachment mime type: application/octet-stream → text/plain

Comment 12

5 years ago
Discussed on the interwebs:
* https://news.ycombinator.com/item?id=4311264
* http://www.reddit.com/r/Games/comments/xe7pd/fix_released_for_ubisofts_uplay_security_hole/
* http://www.reddit.com/r/technology/comments/xdwqk/ubisoft_uplay_drm_backdoor_allows_any_web_page_to/
* http://www.reddit.com/r/Games/comments/xdsu5/ubisoft_uplay_drm_exposed_as_rootkit_dozens_of/

Patched by Ubi:
* http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix
* https://twitter.com/UplayUbisoft/status/229995801949134848

Comment 13

2 years ago
[Tracking Requested - why for this release]:
tracking-b2g: --- → ?
tracking-b2g: ? → ---
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.