Played every calendar month past times one-half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone in addition to Starcraft II are pop online games created past times Blizzard Entertainment.
To play Blizzard games online using spider web browsers, users require to install a game customer application, called 'Blizzard Update Agent,' onto their systems that run JSON-RPC server over HTTP protocol on port 1120, in addition to "accepts commands to install, uninstall, alter settings, update in addition to other maintenance related options."
Google's Project Zero squad researcher Tavis Ormandy discovered that the Blizzard Update Agent is vulnerable to a hacking technique called the "DNS Rebinding" gear upward on that allows whatever website to human activity equally a twain betwixt the external server in addition to your localhost.
Just terminal week, Ormandy revealed a similar vulnerability inwards a pop Transmission BitTorrent app that could let hackers to remotely execute malicious code on BitTorrent users' computers in addition to convey command of them.
By exactly creating a DNS entry to bind whatever attacker-controlled spider web page alongside localhost (127.0.0.1) in addition to tricking users into visiting it, hackers tin hand the sack easily transportation privileged commands to the Blizzard Update Agent using JavaScript code.
Although a random website running inwards a spider web browser unremarkably cannot brand requests to a hostname other than its own, the local Blizzard updater service does non validate what hostname the customer was requesting in addition to responds to such requests.
Blizzard DNS Rebinding Attack — Proof of Concept Exploit
Ormandy has also published a proof-of-concept exploit that executes DNS rebinding gear upward on against Blizzard clients in addition to could endure modified to let exploitation using network drives, or setting goal to "downloads" in addition to making the browser install malicious DLLs, information files, etc.
Ormandy responsibly reported Blizzard of the effect inwards Dec to become it patched earlier hackers could convey wages of it to target hundreds of millions of gamers.
However, later initially communication, Blizzard inappropriately stopped responding to Ormandy's emails in addition to silently applied partial mitigation inwards the customer version 5996.
"Blizzard was replying to emails but stopped communicating on Dec 22nd. Blizzard is no longer replying to whatever enquiries, in addition to it looks similar inwards version 5996 the Agent right away has been silently patched alongside a bizarre solution," Ormandy says.
"Their solution appears to endure to interrogation the customer command line, become the 32-bit FNV-1a string hash of the exename in addition to hence banking concern stand upward for if it's inwards a blacklist. I proposed they whitelist Hostnames, but apparently, that solution was likewise elegant in addition to simple. I'm non pleased that Blizzard pushed this piece without notifying me, or consulted me on this."After the Ormandy's study went public, Blizzard contacted in addition to informed him that a to a greater extent than robust Host header whitelist produce to address the effect alone is currently beingness developed for deployment.
Ormandy is also checking other big games vendors alongside a user base of operations of over 100 Million to run across if the work tin hand the sack endure replicated.
