Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation

Title: Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation
Advisory ID: ZSL-2015-5230
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 25.02.2015
Summary
Uplay PC is a desktop client which replaces individual game launchers previously used for Ubisoft games. With Uplay PC, you have all your Uplay enabled games and Uplay services in the same place and you get access to a whole new set of features for your PC games.
Description
Uplay for PC suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Users' group, making the entire directory 'Ubisoft Game Launcher' and its files and sub-dirs world-writable.
Vendor
Ubisoft Entertainment S.A. - http://www.ubi.com
Affected Version
5.0.0.3914 (PC)
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[19.02.2015] Vulnerability discovered.
[19.02.2015] Vendor contacted with details sent.
[20.02.2015] Vendor replies and investigates.
[20.02.2015] Vendor confirms vulnerability.
[24.02.2015] Vendor plans to redesign the installer architecture and release new fixed version before the end of 2015.
[25.02.2015] Public security advisory released.
PoC
uplay2_pe.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Marc-André!
References
[1] http://forums.ubi.com/forumdisplay.php/513-Uplay
[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5191.php
[3] http://packetstormsecurity.com/files/130526
[4] http://cxsecurity.com/issue/WLB-2015020133
[5] http://www.exploit-db.com/exploits/36189/
[6] http://osvdb.org/show/osvdb/118804
[7] https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101198
[8] http://www.scip.ch/en/?vuldb.69234
Changelog
[25.02.2015] - Initial release
[02.03.2015] - Added reference [5] and [6]
[12.03.2015] - Added reference [7]
[14.03.2015] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk