Skip to the content.

DIVD-2021-00007 - EA Origin XSS and RCE 1-click

Our reference DIVD-2021-00007
Case lead Hidde Smit
Researcher(s)
CVE(s)
  • n/a
Product Electronic Arts Origin
Versions
  • Origin client < 10.5.101
Recommendation Update Origin client to the latest version.
Patch status XSS and RCE patched, Angular template injection still present
Status Closed

Summary

A DIVD researcher has identified three vulnerabilities in the EA Origin client.

Client software prior to 10.5.101 is vulnerable to:

The URI affected is “origin2”.

Technical details

This vulnerability is a tweaked variant of an already patched vulnerability (CVE-2019-11354). Because EA changed their vulnerability policy, a CVE will no longer be applied if the impacted users can solve the vulnerability by using ‘auto updating’ mechanics.

When starting a game straight from the ‘.exe’, the Origin process will be started with the following command line as example: Origin2://game/launch/?offerIds=0&title=example

The command above results in Origin starting and giving a pop-up where the text ‘example’ is being reflected. Initial tests showed that HTML injection can be achieved, till a certain degree. Some characters are escaped with a backslash, mitigating most of the payloads.

Further research showed that AngularJS 1.5.11 is in use, and so a sandbox escape is needed in order to perform any form of Cross-Site Scripting (XSS). The initial CVE-2019-11354 report shows that RCE can be achieved through the usage of the function ‘Origin.client.desktopServices.asyncOpenUrl()’

In order to bypass the character escaping, a combination of HTML entity encoding and URL encoding is used. URL encoding has been performed on the ampersand characters.

An example of template injection which still works: origin2://game/launch/?offerIds=0&title=%26lcub;%26lcub;7%26ast;7%26rcub;%26rcub;

A known sandbox escape technique has been used, initially discovered by Jann Horn. Applying a mix of HTML entity encoding and URL encoding results in a final RCE payload with the size of 1684 characters, which once clicked, results in the spawning of ‘calc.exe’ through the origin2 URI.

What you can do

Update Origin client to the latest version and don’t click any suspicious Origin URI’s (origin and origin2).

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) finds zero-days and reports these directly to the affected vendors.

Timeline

Date Description
21 April 2021 Vulnerabilities discovered.
21 April 2021 Vendor informed.
11 May 2021 Vendor confirmed vulnerability.
13 July 2021 Notified by the vendor that XSS and RCE have been fixed.