A Google security researcher has discovered a severe vulnerability in Blizzard games which could allow remote attackers to run malicious code on gamers’ computers.
Played every month by half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone in addition to Starcraft II are favorite online games created by Blizzard Entertainment.
To play Blizzard games online using web browsers, users need to install a game client application, called ‘Blizzard Update Agent,’ onto their systems which run JSON-RPC server over HTTP protocol on port 1120, in addition to “accepts commands to install, uninstall, change settings, update in addition to some other maintenance related options.“
Google’s Project Zero team researcher Tavis Ormandy discovered which the Blizzard Update Agent can be vulnerable to a hacking technique called the “DNS Rebinding” attack which allows any website to act as a bridge between the external server in addition to your localhost.
Just last week, Ormandy revealed a similar vulnerability in a favorite Transmission BitTorrent app which could allow hackers to remotely execute malicious code on BitTorrent users’ computers in addition to take control of them.
Although a random website running in a web browser usually cannot make requests to a hostname some other than its own, the local Blizzard updater service does not validate what hostname the client was requesting in addition to responds to such requests.
Blizzard DNS Rebinding Attack — Proof of Concept Exploit
Ormandy has also published a proof-of-concept exploit which executes DNS rebinding attack against Blizzard clients in addition to could be modified to allow exploitation using network drives, or setting destination to “downloads” in addition to generating the browser install malicious DLLs, data files, etc.
Ormandy responsibly reported Blizzard of the issue in December to get which patched before hackers could take advantage of which to target hundreds of millions of gamers.
However, after initially communication, Blizzard inappropriately stopped responding to Ormandy’s emails in addition to silently applied partial mitigation from the client edition 5996.
“Blizzard was replying to emails although stopped communicating on December 22nd. Blizzard can be no longer replying to any enquiries, in addition to which looks like in edition 5996 the Agent today has been silently patched that has a bizarre solution,” Ormandy says.
“Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename in addition to then check if which’s in a blacklist. I proposed they whitelist Hostnames, although apparently, which solution was too elegant in addition to simple. I’m not pleased which Blizzard pushed which patch without notifying me, or consulted me on which.”
After the Ormandy’s report went public, Blizzard contacted in addition to informed him which a more robust Host header whitelist fix to address the issue entirely can be currently being developed for deployment.
Ormandy can be also checking some other big games vendors that has a user base of over 100 Million to see if the problem can be replicated.