EA Origin Windows Elevation of Privilege --[ 1. Summary A bug exists in the latest version of EA Origin which allows an attacker to gain administrative privilges on a Windows device without a UAC prompt. The issue stems from a lack of validation of the binary to be executed in an elevated context. Whilst the Origin Client Service takes several steps to verify the target to be executed, it can still be bypassed by copying validly signed EA binaries to a user-writable directory and hijacking an imported DLL. --[ 1.1 Timeline Jan. 5th 2022 - Initial disclosure Jan. 5th 2022 - Issue accepted Jan. 5th 2022 - Resolution rejected Feb. 12th 2022 - Article feedback received Feb. 14th 2022 - Article published --[ 2. Discussion In order to install software updates, the Origin Client uses a bespoke communication protocol to request the Client Service (running with System privileges) to execute a command with an Admin token. This is achieved by copying the token from an existing process and making a call to CreateProcessAsUserW. Similar patterns are commonplace across client software management products as it is often necessary to run elevated commands to install or update software on the users device without the annoyance of repeated prompts for elevation. However, great care must be taken to architect a solution that cannot be used by malicious lower-privilege software running on the device. Such a primitive provides malware the ability to further compromise a user by leveraging administrative privileges to obtain additional data or to persist on the device. The Origin Client Service does take several steps to attempt to address this such as; - Encrypting the communication channel between the Client and Service - Ensuring that the target binary is signed by EA - Using a bespoke protocol to obfuscate the request However, crucially, the service does not ensure that the target to be executed resides within a controlled or non-writable directory. In some cases, this may be the application's "Program Files" directory (in the case of Origin %PROGRAMFILESX86%\Origin), but could also be a secure temporary directory with the correct ACL to ensure that only Origin processes can write to it. As this check is not performed it is possible to simply copy an EA binary to an attacker-writable directory then use a DLL hijacking attack to run arbitrary code. --[ 3. Proof of Concept In my example, the attacker runs the Origin.exe binary twice, both times a DLL hijack is used to obtain execution within the context of a valid EA-signed process. The first time it is run with low privileges, the dll imports the required APIs from the OriginClient.dll and makes the request to the Service to run an binary elevated. It provides itself as the target to be executed elevated such that it can run the same hijack. Once the request is made, the process is terminated such that it can be started again. Then the service will execute the binary (and hijacked DLL) a second time, this time the DLL detects it is running elevated and spawns a command prompt (as Administrator) and again terminates the process. All of this takes just a few seconds and the malicious code is executed without any prompt for the user to elevate privileges. A video showing the exploit can be found here: https://kryc.blob.core.windows.net/files/OriginEoP.webm The exploit Proof of Concept code can be found here: [REDACTED] In order to reproduce the issue, simply download and extract the zip file then browse to Release and run the exploit.bat batch file. Optionally, the source can be compiled with Visual Studio. --[ 4. Remediation In order to remediate this, I would suggest that the Origin Client Service validate the path of the binary to be run elevated before making the call to CreateProcessAsUserW. --[ 5. Response This issue was reported to the EA security team on January 5th 2022. Their response was prompt and courteous, but unfortunately they chose not to take any further action to remediate the issue. They accept that this is a valid exploit and that their users are vulnerable to it with default installations of Origin. They advise that a feature named "Restricted Access Mode" is easily turned on for users who operate machines with multiple users and wish to disable the elevation functionality entirely. Upon closer inspection, this feature forces all elevated functionality to go through a UAC prompt (presumably using CreateProcess with the "runas" verb, although I did not reverse engineer this). The full response was: I wanted to provide some additional context on why we decided not to enable RAM protections by default. As a part of our fix investigation efforts, we gathered telemetry and did analysis on our Origin install population. What it told us is interesting -- over 95% of Origin users are already running as Admin and the majority of them are the only userid registered on the system. As such, it is unlikely that this vulnerability would result in any further access or privileges. While the issue would have only been present for a small number of players with the Origin client installed, the safety and security of each user is very important to us. This is why we introduced Restricted Access Mode, empowering our users to make the best decision for their situation. We are also committed to improving our approach to principles of least privilege for Origin and Restricted Access Mode in future versions based on the insights we’ve gained through community reports such as yours. In my opinion if this feature was to be enabled by default, then this would adequately resolve the issue, however this exploit works successfully on a clean install, and as such poses a risk to EA Origin users. At present, this issue is not fixed and users running the default configuration are exposed to local privilege escalation attacks. --[ 6. Mitigation Users should follow the guidance on EA Origin's Support website at the following https://help.ea.com/en/help/origin/origin/enable-restricted-access-mode-in-origin/ to enable restricted access mode in EA Origin. This will enforce UAC prompts for privileged actions but effectively mitigate this bug.