DIVD-2021-00007 - EA Origin XSS and RCE 1-click
|Case lead||Hidde Smit|
|Product||Electronic Arts Origin|
|Recommendation||Update Origin client to the latest version.|
|Patch status||XSS and RCE patched, Angular template injection still present|
|Last modified||12 Aug 2022 11:21|
A DIVD researcher has identified three vulnerabilities in the EA Origin client.
Client software prior to 10.5.101 is vulnerable to:
- 1-click RCE through Origin URI
- 1-click XSS through Origin URI
- Template injection through Origin URI
The URI affected is “origin2”.
This vulnerability is a tweaked variant of an already patched vulnerability (CVE-2019-11354). Because EA changed their vulnerability policy, a CVE will no longer be applied if the impacted users can solve the vulnerability by using ‘auto updating’ mechanics.
When starting a game straight from the ‘.exe’, the Origin process will be started with the following command line as example:
The command above results in Origin starting and giving a pop-up where the text ‘example’ is being reflected. Initial tests showed that HTML injection can be achieved, till a certain degree. Some characters are escaped with a backslash, mitigating most of the payloads.
Further research showed that AngularJS 1.5.11 is in use, and so a sandbox escape is needed in order to perform any form of Cross-Site Scripting (XSS). The initial CVE-2019-11354 report shows that RCE can be achieved through the usage of the function ‘Origin.client.desktopServices.asyncOpenUrl()’
In order to bypass the character escaping, a combination of HTML entity encoding and URL encoding is used. URL encoding has been performed on the ampersand characters.
An example of template injection which still works:
A known sandbox escape technique has been used, initially discovered by Jann Horn. Applying a mix of HTML entity encoding and URL encoding results in a final RCE payload with the size of 1684 characters, which once clicked, results in the spawning of ‘calc.exe’ through the origin2 URI.
What you can do
Update Origin client to the latest version and don’t click any suspicious Origin URI’s (origin and origin2).
What we are doing
The Dutch Institute for Vulnerability Disclosure (DIVD) finds zero-days and reports these directly to the affected vendors.
|21 Apr 2021||Vulnerabilities discovered.|
|21 Apr 2021||Vendor informed.|
21 Apr 2021-
11 May 2021
|Time to Confirm vulnerability.|
|11 May 2021||Vendor confirmed vulnerability.|
21 Apr 2021-
13 Jul 2021
|Time to fix.|
|13 Jul 2021||Notified by the vendor that XSS and RCE have been fixed.|