# Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation # Date: 2019-08-07 # Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi # Vendor Homepage: https://uplay.ubisoft.com/ # Version: 92.0.0.6280 # Tested on: Windows 10 x64 # CVE : N/A # Vulnerability Description: "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" has in secure permission # that allows all BUILTIN-USER has full permission. An attacker replace the # vulnerability execute file with malicious file. /////////////////////// Proof of Concept /////////////////////// C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher BUILTIN\Users:(F) BUILTIN\Users:(OI)(CI)(IO)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) Vulnerability Disclosure Timeline: ================================== 07 Aug, 19 : Found Vulnerability 07 Aug, 19 : Vendor Notification 14 Aug, 19 : Vendor Response 18 Sep, 19 : Vendor Fixed 18 Sep, 19 : Vendor released new patched