A remote code execution (RCE) vulnerability in the client application of Overwolf, the popular gaming development platform, has been patched.
The critical flaw (CVE-2021-33501), which has a CVSS score of 9.6, stems from how Overwolf mishandled custom URLs used by Windows applications to “run a particular installed application when invoked”, according to a security advisory from SwordBytes Security.
Unauthenticated attackers can achieve RCE on vulnerable clients by combining a reflected cross-site scripting (XSS) bug with a Chromium Embedded Framework (CEF) sandbox escape.
Overwolf has been used by around 30,000 developers to create more than 90,000 extensions for games including Fortnite, Among Us, and World of Warcraft.
Israeli parent company Overwolf Ltd recently announced a $52.5 million cash injection.
Underlying issue
Custom URL schemes are often used to navigate to a URL directly from the browser, which attackers can achieve “by redirecting valid users to a malicious link that abuses Overwolf’s custom URL handler ‘overwolfstore://’,” said Joel Noguera, SwordBytes founder and the researcher who discovered the RCE vulnerability.
When the Overwolf client is launched, the CEF application proceeds to parse and analyze the provided URL to determine which UI should be rendered, Noguera said.
Noguera, who is based in Argentina, said attackers had free rein to “craft different payloads that may produce unexpected results” because “there is no restriction on the values accepted by [the] application” during scheme parameters decoding.
Recounting the path to XSS, the researcher said that when the ‘SECTION’ portion of the URL – usually ‘overwolfstore://app/<SECTION>/<CATEGORY>/<EXTRAS>’ – is equal to ‘apps’”, the Overwolf Client generates a back-end request with the ‘CATEGORY’ value “in an attempt to obtain information about the extension being invoked”.
The ‘UNEXPECTED_VALUE’ is reflected in the response body as part of an error message, and the Content-Type” is set to ‘text/html’, he continued.
Reflected in the context of the Overwolf Store UI – “essentially a Chromium embedded browser (CEF)” – this response means “controlled content will be injected verbatim in the DOM”.
The XSS was possible, concluded Noguera, because of a “lack of sanitization of the CATEGORY’s value” and the aforementioned back-end error message.
Escaping the sandbox
Researchers then used the Overwolf JavaScript API and the ‘overwolf-extensions://’ scheme to escape the CEF sandbox.
“The main CEF process, ‘OverwolfBrowser.exe’, is running with the internal Overwolf flags enabled (–ow-enable-features and –ow-allow-internal), making it possible to call functions such as “overwolf.utils.openUrlInDefaultBrowser”, explained Noguera.
And “if a value such as ‘calc.exe’ is provided, a call to ‘CreateProcess’ will be made, and the binary ‘calc.exe’ will be executed, allowing attackers to run arbitrary commands”.
The researchers then leveraged ‘overwolf.io.writeFileContents’ to write a malicious batch file to ‘C:\windows\temp\’ that was executed via the ‘openUrlInDefaultBrowser’ method to achieve RCE.
Remediation timeline
SwordBytes initiated contact with Overwolf Ltd on May 10, and the vendor released a hotfix addressing the issue on May 27. SwordBytes released the security advisory on May 31.
The vulnerability is present in Overwolf Client 0.169.0.22, although the advisory notes that “prior versions might also be affected”.
The latest Overwolf release, issued at the end of May, is version 0.170.
The Daily Swig has contacted SwordBytes and Overwolf for further comment. This article will be updated accordingly should we receive responses.
Source: https://portswigger.net/daily-swig/gaming-mod-development-platform-overwolf-fixes-bug-that-could-allow-rce-via-chained-exploit