Share
# Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation  
# Date: 2019-08-07  
# Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi  
# Vendor Homepage: https://uplay.ubisoft.com/  
# Version: 92.0.0.6280  
# Tested on: Windows 10 x64  
# CVE : N/A  
  
# Vulnerability Description: "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" has in secure permission   
# that allows all BUILTIN-USER has full permission. An attacker replace the   
# vulnerability execute file with malicious file.  
  
///////////////////////  
Proof of Concept  
///////////////////////  
  
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher"  
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher BUILTIN\Users:(F)  
BUILTIN\Users:(OI)(CI)(IO)(F)  
NT SERVICE\TrustedInstaller:(I)(F)  
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)  
BUILTIN\Users:(I)(RX)  
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)  
CREATOR OWNER:(I)(OI)(CI)(IO)(F)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)  
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)  
  
  
  
  
Vulnerability Disclosure Timeline:  
==================================  
07 Aug, 19 : Found Vulnerability  
07 Aug, 19 : Vendor Notification  
14 Aug, 19 : Vendor Response  
18 Sep, 19 : Vendor Fixed  
18 Sep, 19 : Vendor released new patched