N/A

Electronic Arts Origin 10.5.55.33574 is vulnerable to local privilege escalation due to arbitrary directory DACL manipulation, a different issue than CVE-2019-19247 and CVE-2019-19248. When Origin.exe connects to the named pipe OriginClientService, the privileged service verifies the client's executable file instead of its in-memory process (which can be significantly different from the executable file due to, for example, DLL injection). Data transmitted over the pipe is encrypted using a static key. Instead of hooking the pipe communication directly via WriteFileEx(), this can be bypassed by hooking the EVP_EncryptUpdate() function of libeay32.dll. The pipe takes the command CreateDirectory to create a directory and adjust the directory DACL. Calls to this function can be intercepted, the directory and the DACL can be replaced, and the manipulated DACL is written. Arbitrary DACL write is further achieved by creating a hardlink in a user-controlled directory that points to (for example) a service binary. The DACL is then written to this service binary, which results in escalation of privileges.

N/A

N/A

Electronic Arts Origin 安全漏洞

Electronic Arts Origin是美国艺电（Electronic Arts）公司的一款游戏管理平台。该平台包括电子软件分发、数字版权管理及社交系统等功能。 Electronic Arts Origin 10.5.55.33574版本中存在安全漏洞。攻击者可通过绕过通道及黑名单过滤器利用该漏洞写入被修改的自由访问控制列表，从而提升权限。

N/A

N/A