It’s all fixed now, thankfully
With Meltdown and Spectre, fresh on our minds, things couldn’t get any worse. Right? Well, it seems another issue has been brought to our attention and this issue affected ALL of Blizzard’s games on the PC. Brought to light by Tavis Ormandy, a vulnerability researcher over at Google, has documented a vulnerability that could allow anyone to send commands to Blizzard Update Agent. Now anyone familiar with the agent, you know that this is installed with the Blizzard Launcher. And that this is a required tool for installing and updating all Blizzard titles on the PC.
All Blizzard games (World of Warcraft, Overwatch, Diablo III, Starcraft II, etc.) were vulnerable to DNS rebinding vulnerability allowing any website to run arbitrary code. 🎮 https://t.co/ssKyxfkuZo
— Tavis Ormandy (@taviso) January 22, 2018
Pretty scary when there are over 500 million active users running this application. And this isn’t a proof of concept, as Tavis was able to test out the exploit. He goes on to example the vulnerability and demonstrates it here. Keep in mind that this was back in December 2017.
All blizzard games are installed alongside a shared tool called “Blizzard Update Agent”, investor.activision.com claims they have “500 million monthly active users”, who presumably all have this utility installed.
The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc’s are from a legitimate source.
This endpoint is permitted without authentication, but all other requests must have a valid “Authorization” header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property.
I don’t think this design will work because of an attack called “dns rebinding”. Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.
To be clear, this means that *any* website can send privileged commands to the agent.
He goes on to state that he did contact someone at Blizzard and provided all the information that he discovered. So it should be an open and closed case, right? Well, since he reported the vulnerability, Blizzard hadn’t been in contact with Tavis. You’d think that one of the biggest gaming companies on the planet would love to know about something such as this. Or even stay in contact with the person who pointed this out.
Blizzard were replying to emails, but stopped communicating on December 22nd.
However, as of today, Blizzard did appear to patch the vulnerability about 6 hours ago. According to Tavis, what Blizzard did was completely different than what he recommended. And instead was a bit uglier. Of course, Tavis wasn’t too thrilled about the entire situation.
Blizzard are no longer replying to any enquiries, and it looks like in version 5996 the Agent now has been silently patched with a bizarre solution.
Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist. I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple.
I’m not pleased that Blizzard pushed this patch without notifying me, or consulted me on this.
Shortly after Tavis posted this update, Blizzard chimes in and states that they’ll be in contact with Tavis regarding the fix. They even mention that the original fix he recommended is being worked on.
Blizzard here. We have a more robust Host header whitelist fix in QA now and will deploy soon. The executable blacklisting code is actually old and wasn’t intended to be a resolution to this issue. We’re in touch with Tavis to avoid miscommunication in the future.
I have to say I agree with Tavis. I don’t like the way Blizzard handled this. Not to mention that this vulnerability was in the wild for how long? While I do applaud Blizzard for correcting the problem, they should have stayed in contact with Tavis the moment he pointed it out. As for Tavis, huge thanks from a fellow Blizzard fan, for bringing light to this. I’m one of those 500 million users. The last thing I needed was for someone to set up a rogue website and run command the initiates downloads to my PC, or worse, even sending a command to wipe my files.
Oh, and Tavis says he plans on for other titles and applications that have a high amount of users. Way to stay vigilant!
I plan to look at other games with very high install bases (100M+) in the coming weeks.
— Tavis Ormandy (@taviso) January 22, 2018