Input validation error in Origin Client



Published: 2020-02-20 | Updated: 2020-08-08
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-19741
CWE-ID CWE-20
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		Origin Client
Client/Desktop applications / Games

Vendor Electronic Arts

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU34817

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19741

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

Electronic Arts Origin 10.5.55.33574 is vulnerable to local privilege escalation due to arbitrary directory DACL manipulation, a different issue than CVE-2019-19247 and CVE-2019-19248. When Origin.exe connects to the named pipe OriginClientService, the privileged service verifies the client's executable file instead of its in-memory process (which can be significantly different from the executable file due to, for example, DLL injection). Data transmitted over the pipe is encrypted using a static key. Instead of hooking the pipe communication directly via WriteFileEx(), this can be bypassed by hooking the EVP_EncryptUpdate() function of libeay32.dll. The pipe takes the command CreateDirectory to create a directory and adjust the directory DACL. Calls to this function can be intercepted, the directory and the DACL can be replaced, and the manipulated DACL is written. Arbitrary DACL write is further achieved by creating a hardlink in a user-controlled directory that points to (for example) a service binary. The DACL is then written to this service binary, which results in escalation of privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Origin Client: 10.5.2 - 10.5.55.33574

External links

http://medium.com/@tobiasgyoerfi/ea-origin-10-5-55-33574-createdirectory-arbitrary-dacl-write-privilege-escalation-cve-2019-19741-5f18adfabb27


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###