EA Games' Origin client contained privilege escalation vuln that anyone with user-grade access could exploit
Fancy getting system privs? Swap out a DLL and you're in
A British infosec outfit spotted a privilege escalation vulnerability in EA Games’ Origin client after discovering the software was hunting for an absent DLL file when users opened it.
Nettitude found the priv-esc after researcher Tom Wilson fired up Origin and ran Process Monitor (Procmon) over it to see what Origin was calling when it ran.
As Nettitude's Rob Bone told The Register: “The crux is Origin itself tries to load a binary from a path that doesn’t exist. It’s most likely that it does exist under dev boxes but was not trimmed from the final polished product.”
Directly affected was Origin’s deployment of the Qt widget toolkit used for creating graphical user interfaces (GUIs) and cross-platform apps capable of running on different hardware and software environments.
The vuln could have allowed a switched-on attacker to gain system privileges on the host device, in turn opening it up to more advanced levels of badness – such as turning it into part of a botnet, or installing malware to slurp the local user’s credit card details, or whatever else you can imagine a criminal might do with a freshly compromised machine.
To be exploitable, an attacker would need at least user-level access to the target device. While this normally puts vulns found in corporate software into the “nice in theory” box, this one mostly affected consumer-grade computers being used at home.
Chris Oakley, Nettitude’s technical services veep, explained to The Register: “Mostly it’ll affect people’s home machines... and most of those are going to have free or low tier [security] products, if any. Normally that’s only going to affect that particular user, but in the current climate a lot of those people are working from home on personal machines.”
Origin had about 30 million users, according to a public financial filings by Electronic Arts posted some eight years ago. No more recent stats are available. The platform competes with Valve’s Steam game distribution platform and hosts The Sims franchise, among others.
Procmon revealed that two Origin system-level services were searching for a folder at [code]C:\platforms. This doesn’t exist on a bog standard Windows 10 installation, so Nettitude created it to see what would happen. By running the ProcessHacker tool, researchers realised OriginWebHelperService.exe was trying to call a DLL named qwindows.dll from the directory [code]C:\Program Files (x86)\Origin\Platforms.
Copying the contents of the correctly formatted folder into the mysterious [code]platforms folder showed OriginWebHelperService.exe was loading qwindows.dll “directly” into the process. A little light tinkering to ensure the DLL contained the right functions that OriginWebHelperService.exe was looking for scored a successful “low level” compromise.
Upon realising that the Origin Client Service was vulnerable to the same DLL hijacking vuln, Nettitude was able to open a command prompt with elevated privileges, running under NT AUTHORITY\SYSTEM, as detailed in its blog post.
“By adding those DLLs to that location we could have those loaded by the process and as that runs, a high integrity process with admin [privileges] on the host, that path is writable by any user,” explained Bone.
Oakley added that EA “worked quite well with us” during the vuln disclosure process, contrasting that with less positive responses he had seen from other companies in similar situations. The vuln was eventually allocated CVE-2020-27708 and detailed by EA itself in an advisory on its website. Gamers should confirm they’re running version 10.5.86 or later to ensure the Origin client is patched against this vuln.
In a statement EA said: “At the time of publication of this advisory we are not aware of any attacks against EA’s players that leverage this vulnerability.”
That may not last for long, however, so get updating. ®