All Blizzard games were vulnerable to a now-patched DNS exploit

There seems to be vulnerabilities creeping up everywhere these days, even ones not associated with the highly publicized Spectre and Meltdown architecture flaws. A new one was just publicly revealed, which made all of Blizzard's game's susceptible to DNS rebinding.

Uncovered by Google vulnerability researcher Tavis Ormandy back on December 8, the flaw was found in the Blizzard Update Agent, which controls access to all of Blizzard's games, such as World of Warcraft, Overwatch, StarCraft 2 and even Bungie's Destiny 2. He went on to explain just how and why it worked:

The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc's are from a legitimate source ...

This endpoint is permitted without authentication, but all other requests must have a valid "Authorization" header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property.

I don't think this design will work because of an attack called "dns rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.

To be clear, this means that *any* website can send privileged commands to the agent.

Here, he shows how the exploit works:

He immediately sent a report to a Blizzard contact he has, who assured him it would get to the right people. And while initial communication was good, the company eventually stopped responding to him as of December 22, prompting him to go public with his findings.

It was around that time that Ormandy noticed the makeshift patch released yesterday that seemed a bit convoluted. "Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it's in a blacklist," he said on the vulnerability page. "I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple."

The tweet likely ruffled some feathers as Blizzard went to the page to leave their own response that a more intricate fix was currently in QA. "The executable blacklisting code is actually old and wasn't intended to be a resolution to this issue. We're in touch with Tavis to avoid miscommunication in the future."

It's nice to see that Blizzard has a better fix coming, but it's a shame they had to be publicly outed for communication to continue.

Via: PCGameN

Don't forget to follow us @NeowinGaming on Twitter to keep up to date with our gaming coverage!

Report a problem with article
Previous Story

RED reveals summer release for its Hydrogen One smartphone

Next Story

Nvidia wants retailers to help gamers find GPUs amid cryptocurrency craze

1 Comments - Add comment

Advertisement