- 2018/12/15 - Initial disclosure email sent to
support@overwolf.com - 2018/12/24 - Overwolf identified the issue and are in remediation phase
- 2019/1/8 - This should be patched in v122
- 2019/1/n - Overwolf release version 122 with fix included
- 2019/2/6 - Tested and confirmed fixed
- 2019/2/6 - Public Disclosure.
Overwolf were a pleasure to work with in resolving this, thank you to 'LEOkonami' for being a very helpful point of contact!
The Overwolf Platform, used to manage game related plugins, create a system service (OverwolfUpdater) with weak security permissions applied to the service binary that allows it to be modified, this would to allow an unprivilaged user to perform a privilage escalation attack. This can be used to attain system level access.
This is a privilege escalation exploit and would not initially compromise a host.
-
This attack would allow a malicious user to gain privileged access to a compromised host.
-
This is a local privilege escalation, and will not perform the initial compromise of a host.
Service binaries and directories should be generated with appropriately secure security permissions to prevent malicious modification of the service binary.
This can be fairly trivally exploited with the metasploit framework.
Once initial compromise has taken place:
The live meterpreter session is detached and then the MSF exploit: windows/local/service_permissions is executed with a further meterpreter payload:
A system shell is then presented very shortly afterwards:
