Played every calendar month past times one-half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone as well as Starcraft II are pop online games created past times Blizzard Entertainment.
To play Blizzard games online using spider web browsers, users involve to install a game customer application, called 'Blizzard Update Agent,' onto their systems that run JSON-RPC server over HTTP protocol on port 1120, as well as "accepts commands to install, uninstall, alter settings, update as well as other maintenance related options."
Google's Project Zero squad researcher Tavis Ormandy discovered that the Blizzard Update Agent is vulnerable to a hacking technique called the "DNS Rebinding" laid on that allows whatever website to deed every bit a twain betwixt the external server as well as your localhost.
Just terminal week, Ormandy revealed a similar vulnerability inwards a pop Transmission BitTorrent app that could permit hackers to remotely execute malicious code on BitTorrent users' computers as well as bring command of them.
By only creating a DNS entry to bind whatever attacker-controlled spider web page alongside localhost (127.0.0.1) as well as tricking users into visiting it, hackers tin easily ship privileged commands to the Blizzard Update Agent using JavaScript code.
Although a random website running inwards a spider web browser unremarkably cannot brand requests to a hostname other than its own, the local Blizzard updater service does non validate what hostname the customer was requesting as well as responds to such requests.
Blizzard DNS Rebinding Attack — Proof of Concept Exploit
Ormandy has also published a proof-of-concept exploit that executes DNS rebinding laid on against Blizzard clients as well as could endure modified to permit exploitation using network drives, or setting goal to "downloads" as well as making the browser install malicious DLLs, information files, etc.
Ormandy responsibly reported Blizzard of the effect inwards Dec to conk it patched earlier hackers could bring payoff of it to target hundreds of millions of gamers.
However, afterwards initially communication, Blizzard inappropriately stopped responding to Ormandy's emails as well as silently applied partial mitigation inwards the customer version 5996.
"Blizzard was replying to emails but stopped communicating on Dec 22nd. Blizzard is no longer replying to whatever enquiries, as well as it looks similar inwards version 5996 the Agent directly has been silently patched alongside a bizarre solution," Ormandy says.
"Their solution appears to endure to inquiry the customer command line, conk the 32-bit FNV-1a string hash of the exename as well as and hence banking enterprise jibe if it's inwards a blacklist. I proposed they whitelist Hostnames, but apparently, that solution was besides elegant as well as simple. I'm non pleased that Blizzard pushed this piece without notifying me, or consulted me on this."After the Ormandy's written report went public, Blizzard contacted as well as informed him that a to a greater extent than robust Host header whitelist ready to address the effect solely is currently existence developed for deployment.
Ormandy is also checking other big games vendors alongside a user base of operations of over 100 Million to come across if the work tin endure replicated.
