There seems to be vulnerabilities creeping up everywhere these days, even ones not associated with the highly publicized Spectre and Meltdown architecture flaws. A new one was just publicly revealed, which made all of Blizzard's game's susceptible to DNS rebinding.
Uncovered by Google vulnerability researcher Tavis Ormandy back on December 8, the flaw was found in the Blizzard Update Agent, which controls access to all of Blizzard's games, such as World of Warcraft, Overwatch, StarCraft 2 and even Bungie's Destiny 2. He went on to explain just how and why it worked:
The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc's are from a legitimate source ...
This endpoint is permitted without authentication, but all other requests must have a valid "Authorization" header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property.
I don't think this design will work because of an attack called "dns rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.
To be clear, this means that *any* website can send privileged commands to the agent.
Here, he shows how the exploit works:
He immediately sent a report to a Blizzard contact he has, who assured him it would get to the right people. And while initial communication was good, the company eventually stopped responding to him as of December 22, prompting him to go public with his findings.
All Blizzard games (World of Warcraft, Overwatch, Diablo III, Starcraft II, etc.) were vulnerable to DNS rebinding vulnerability allowing any website to run arbitrary code. ? https://t.co/ssKyxfkuZo— Tavis Ormandy (@taviso) January 22, 2018
It was around that time that Ormandy noticed the makeshift patch released yesterday that seemed a bit convoluted. "Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it's in a blacklist," he said on the vulnerability page. "I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple."
The tweet likely ruffled some feathers as Blizzard went to the page to leave their own response that a more intricate fix was currently in QA. "The executable blacklisting code is actually old and wasn't intended to be a resolution to this issue. We're in touch with Tavis to avoid miscommunication in the future."
It's nice to see that Blizzard has a better fix coming, but it's a shame they had to be publicly outed for communication to continue.
Don't forget to follow us @NeowinGaming on Twitter to keep up to date with our gaming coverage!