(CVE-2024-57276) EA Game hacking with Windows Exploit!
Hacking a classic game with a classic attack vector.
The content on this blog is published for educational and informational purposes only. I am sharing my analysis and research to help others learn about cybersecurity threats and defensive techniques.
So many people want to try hacking games and report to the vendor. But what if I tell you there are some attack vectors that are still valid, such as the unquoted service path attack?
What is Unquoted Service Path vulnerability?
It's pretty straightforward. Because the game service path is not quoted, this behavior causes the Windows service control manager to act differently. Instead of executing C://User/someuser/Program Files/Vulnerable game/Updater.exe, it executes the first valid executable it finds in the path. This leads to local privilege escalation and arbitrary code execution.
For example
If the correct path is
C:\Program Files\Vulnerable Game\Updater.exeBut because the path is unquoted, the Windows service control manager executes the following paths:
C:\Program.exe
C:\Program Files\Vulnerable.exe
C:\Program Files\Vulnerable Game\Updater.exe
The easiest way to exploit this vulnerability is to place your malicious executable file exactly where the original executable file is, and name it like "Updater.exe". Next, all we need to do is restart the service and just like that, the malicious executable file executes.
Real-world scenario
Why do we need a lab when there are real targets out there waiting for us to exploit ethically. The game that I will used for demonstration today is Dragon Age Origins from Electronic Arts production.
Disclaimer: This blog is purely for educational. I will not take any responsibility if you get caught for any illegal activities.
I am actually a fan of this series, i even finished Dragon Age™ Inquisition with over 80 hours on record. Because I died too many times in Dragon Age Origins. So I decided to take revenge on the game :(
So, first of all, we need to find any potential vulnerable services that may exist in our computer. And to do that, we need a PowerShell script tool called "PowerUp.ps1".
PowerUp.ps1 script is used for finding potential privilege escalation vectors in Windows OS.
Download link: https://github.com/HarmJ0y/PowerUp/blob/master/PowerUp.ps1
Next, run the following commands to run any scripts in PowerShell terminal.
PowerShell terminal:
In order to use the script, you need to import it first.
PowerShell terminal:
Now run the following command.
Output
As you can see, the output shows us the vulnerable services which unfortunately is DAUpdaterSvc(Dragon Age Origins's game content updater) being one of them.
Moreover, we can also modify files in this folder!
Alternatively, we can check folder privileges by using icacls command.
PowerShell terminal:
What you need to know about file permission is
F = Full access
RX = Read and execute
But normally, low privilege user's file permissions set to RX only. The reason BUILTIN\Users has full access to Steam folder is because "If you want to install mods, are you really need to use admin privileges just for that?". For the sake of utilities, Steam gives full access even to users.
Now the requirements to exploit unquoted service path vulnerability are satisfied.
Additionally, because Steam gives Full Accessfile permissions to users, Windows assumes services and their executables are legitimate and secured. That's why when starting DAUpdaterSvc service which running as NT Authority SYSTEM user lead to local privilege escalation or arbitrary code execution.
Cooking time!
Here comes the fun part, our objective here is to plant our fake DAUpdaterSvc executable binary file and let NT Authority SYSTEM user start/restart the service or you simply open the game and interact with this service.
First, we need to craft(cook) payload.
C code:
Explanation
#include <stdlib.h> is C header for standard usage. Without it, it feels like XSS payload without tag.(just kidding)
main() is main function and int is for return 0; (exit program)
i is obviously a variable that stored PowerShell command.
net user dave2 password! /add is PowerShell command to create a new credential
net localgroup administrators dave2 /add is also PowerShell command to add dave2 user into admin group. admin group = high privilege.
As you can see, this is just a source code, but you need to make it executable that's where GCC kick in.
GCC is a compiler. it's like translate spanish language to english language.
Open your Ubuntu WSL or Kali VM and execute this command
Linux terminal:
Then move our malicious executable binary file to where the original .EXE file located.
And lastly run the following PowerShell command to start a service.
PowerShell terminal:
Before
After
Exploited!
That's it. Actually i can do arbitrary code execution like crafting a reverse shell .EXE and open a listening port to wait for a connection but I am a bit lazy. If you want to try that just go to https://www.revshells.com/ and copy & paste C reverse shell payload into your source code and use GCC to compile it. That also works.
Final
After I discovered this vulnerability, I directly contacted EA and we came to a conclusion that this is a medium-risked vulnerability in their risk evaluation criteria. Due to the vulnerability serverity is not high or critical, they will not assign me a CVE. However, I did escalate this to MITRE and eventually got my name under this CVE - https://nvd.nist.gov/vuln/detail/CVE-2024-57276
Not too long after CVE publication, EA updated a new patch for Dragon Age Origins that removed the vulnerable service executable file to mitigate the vulnerability - https://steamdb.info/patchnotes/16816164/
Last updated