Origin client service9/22/2023 While both the OriginWebHelperService and the OriginClientService were vulnerable to the issue, the path of least resistance was to exploit the OriginClientService gaining system privileges directly. This is an added bonus we now don’t have to wait for reboot in order to execute our malicious payload we can simply start the service and get as many elevated command prompts as we want: This allowed us to determine that any user is able to start and stop the OriginClientService.exe service process. More detail can be obtained using a PowerShell script : The Security Descriptor Definition Language (SDDL) output from the sc sdshow command allows us to view the Security Descriptor, which suspiciously has an ACL for the well known SID string “BU” is used which represents the BUILTIN\Users group. Using the sdshow command of sc.exe, the Windows Service Control tool, it was possible to view the security permissions of the Origin Client Service: However there is another service included with Origin, “Origin Client Service” which runs under the account NT AUTHORITY\SYSTEM and shares the same DLL hijacking vulnerability as the OriginWebHelperService.Īt this point we changed our focus to “Origin Client Service”. We could have attempted to use the “Chimichurri Reloaded” technique, for example. The OriginWebHelperService runs as Local Service, which is a low privilege account and requires some further effort in order to gain full NT AUTHORITY\SYSTEM privileges.Ī recent paper by Antonio Cocomazzi details several ways to break out of Local Service accounts by abusing the SeImpersonatePrivilege. The result was immediate our DLL was loaded into the OriginWebHelperService. We decided to find out and proceeded to copy the data from these two sections, adding the data to our own malicious DLL into sections with identical names. What if the Origin Client executables are scanning the DLL’s in the C:\platforms directory and looking for these sections before loading the DLL? Looking at the sections within the qwindows.dll there are two that stood out to us. Qwindows.dll has only two exported functions, qt_plugin_instance and qt_plugin_query_metadata. Using another free tool CFF Explorer we took a look at qwindows.dll. We could see in a procmon log that our DLL was being read, however it was then closed and the original qwindows.dll was read from the Program Files path. This is where we hit a slight bump in the road. The next step was to replace qwindows.dll with our own malicious DLL that would open a command prompt on behalf of a low level user. Surprisingly, this DLL was loaded directly into the OriginWebHelperService.exe process. We then ran ProcessHacker again to view the loaded modules within OriginWebHelperService.exe. Something immediately stood out to us, which can be seen in the image below OriginWebHelperService.exe is loading a DLL qwindows.dll from the directory C:\Program Files (x86)\Origin\platforms\.īecause of the similar names, C:\platforms and C:\Program Files (x86)\Origin\platforms\, we decided to copy the contents of the C:\Program Files (x86)\Origin\platforms\ directory into the C:\platforms directory. Our next course of action was to have a look at one of the service processes OriginWebHelperService.exe process using another free tool called ProcessHacker. We followed this with a second run of procmon.Īs can be seen in the second procmon output, a directory listing takes place on the C:\platforms directory, which is interesting and something we made a note of. In Microsoft Windows, any user is by default able to create a directory in the root of the C drive. Something immediately stood out two system services looking for the directory C:\platforms, which they were not able to locate. The platform allows some reported 39 million users to download and install games by Electronic Arts.įirst, we used the free SysInternals Process Monitor tool (procmon) to look for any low-hanging fruit. They acquired the trademark Origin when it purchased Origin Systems in 1992. Origin is a digital distribution platform, by Electronic Arts, who own the brand EA Games. This has been recorded as CVE-2020-27708. We recently assessed the security posture of Electronic Arts Origin Client and discovered a privilege escalation issue that would allow a low privilege attacker to elevate privileges to NT AUTHORTY\SYSTEM.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |