Skip to the content.

DIVD-2021-00007 - EA Origin XSS and RCE 1-click

Our reference DIVD-2021-00007
Case lead Hidde Smit
Researcher(s)
CVE(s)
  • n/a
Product Electronic Arts Origin
Versions
  • Origin client < 10.5.101
Recommendation Update Origin client to the latest version.
Patch status XSS and RCE patched, Angular template injection still present
Status Closed
Last modified 01 Feb 2022 12:52

Summary

A DIVD researcher has identified three vulnerabilities in the EA Origin client.

Client software prior to 10.5.101 is vulnerable to:

The URI affected is “origin2”.

Technical details

This vulnerability is a tweaked variant of an already patched vulnerability (CVE-2019-11354). Because EA changed their vulnerability policy, a CVE will no longer be applied if the impacted users can solve the vulnerability by using ‘auto updating’ mechanics.

When starting a game straight from the ‘.exe’, the Origin process will be started with the following command line as example: Origin2://game/launch/?offerIds=0&title=example

The command above results in Origin starting and giving a pop-up where the text ‘example’ is being reflected. Initial tests showed that HTML injection can be achieved, till a certain degree. Some characters are escaped with a backslash, mitigating most of the payloads.

Further research showed that AngularJS 1.5.11 is in use, and so a sandbox escape is needed in order to perform any form of Cross-Site Scripting (XSS). The initial CVE-2019-11354 report shows that RCE can be achieved through the usage of the function ‘Origin.client.desktopServices.asyncOpenUrl()’

In order to bypass the character escaping, a combination of HTML entity encoding and URL encoding is used. URL encoding has been performed on the ampersand characters.

An example of template injection which still works: origin2://game/launch/?offerIds=0&title=%26lcub;%26lcub;7%26ast;7%26rcub;%26rcub;

A known sandbox escape technique has been used, initially discovered by Jann Horn. Applying a mix of HTML entity encoding and URL encoding results in a final RCE payload with the size of 1684 characters, which once clicked, results in the spawning of ‘calc.exe’ through the origin2 URI.

What you can do

Update Origin client to the latest version and don’t click any suspicious Origin URI’s (origin and origin2).

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) finds zero-days and reports these directly to the affected vendors.

Timeline

Date Description
21 Apr 2021 Vulnerabilities discovered.
21 Apr 2021 Vendor informed.
21 Apr 2021-
11 May 2021
Time to Confirm vulnerability.
11 May 2021 Vendor confirmed vulnerability.
21 Apr 2021-
13 Jul 2021
Time to fix.
13 Jul 2021 Notified by the vendor that XSS and RCE have been fixed.
gantt title DIVD-2021-00007 - EA Origin XSS and RCE 1-click dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00007 - EA Origin XSS and RCE 1-click (83 days) :2021-04-21, 2021-07-13 section Events Vulnerabilities discovered. : milestone, 2021-04-21, 0d Vendor informed. : milestone, 2021-04-21, 0d Time to Confirm vulnerability. (20 days) : 2021-04-21, 2021-05-11 Vendor confirmed vulnerability. : milestone, 2021-05-11, 0d Time to fix. (83 days) : 2021-04-21, 2021-07-13 Notified by the vendor that XSS and RCE have been fixed. : milestone, 2021-07-13, 0d