[German]Up to 500 million users of Activision Blizzard games have been threatened for months by a critical vulnerability in the updater, which could have allowed attackers to infiltrate malicious code into the PC.
The vulnerability affects all games from Activision Blizzard that use the updater. These include the popular games World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II by Blizzard Entertainment (according to The Hacker News). And German news magazine heise.de reports 500 million affected systems. Google’s security researcher Tavis Ormandy, made the vulnerability public in Project Zero in this article.
Update Agent vulnerable against DNS rebinding attack
According to Ormandy, the Update Agent sets up a JSON-RPC server under Localhost. Port 1120 could be used to send commands to the server for installing, updating or maintaining game components. Due to a security vulnerability, foreign websites were also able to transmit commands to the update agent via the JSON-RPC server under certain conditions.
However, an attack requires that attackers control a domain and a DNS server. You can then assign a specific DNS name to impersonate the update as a blizzard. If victims visit a compromised website, attackers can send privileged commands to the updater and install any software on the system.
A bizarre solution from Blizzard
Ormandy reported the vulnerability to Blizzard on December 8, 2017. However, communication was likely to break down on December 22, 2017, and the Blizzard developers did not react any more. Later, Ormandy noted that Blizzard had closed the vulnerability in version 5996 of the update agent. However, he notes that a very’ bizarre’ solution has been chosen.
Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist. I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple.
Blizzard’s developers contacted Ormandy again and left a comment to his post, that another patch implementing a white list is in internal quality control.
But wait, there is probably mores
There seems to be another critical design flaw, as this tweet suggests – they are using a certificate for the local host server that need to contain it’s own private key.
— Tavis Ormandy (@taviso) December 6, 2017
According to this Google discussion, the certificate is compromised and need to be revoked.