{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Electronic Arts Origin 10.5.55.33574 is vulnerable to local privilege escalation due to arbitrary directory DACL manipulation, a different issue than CVE-2019-19247 and CVE-2019-19248. When Origin.exe connects to the named pipe OriginClientService, the privileged service verifies the client's executable file instead of its in-memory process (which can be significantly different from the executable file due to, for example, DLL injection). Data transmitted over the pipe is encrypted using a static key. Instead of hooking the pipe communication directly via WriteFileEx(), this can be bypassed by hooking the EVP_EncryptUpdate() function of libeay32.dll. The pipe takes the command CreateDirectory to create a directory and adjust the directory DACL. Calls to this function can be intercepted, the directory and the DACL can be replaced, and the manipulated DACL is written. Arbitrary DACL write is further achieved by creating a hardlink in a user-controlled directory that points to (for example) a service binary. The DACL is then written to this service binary, which results in escalation of privileges."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-20T15:44:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://medium.com/%40tobiasgyoerfi/ea-origin-10-5-55-33574-createdirectory-arbitrary-dacl-write-privilege-escalation-cve-2019-19741-5f18adfabb27"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19741", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Electronic Arts Origin 10.5.55.33574 is vulnerable to local privilege escalation due to arbitrary directory DACL manipulation, a different issue than CVE-2019-19247 and CVE-2019-19248. When Origin.exe connects to the named pipe OriginClientService, the privileged service verifies the client's executable file instead of its in-memory process (which can be significantly different from the executable file due to, for example, DLL injection). Data transmitted over the pipe is encrypted using a static key. Instead of hooking the pipe communication directly via WriteFileEx(), this can be bypassed by hooking the EVP_EncryptUpdate() function of libeay32.dll. The pipe takes the command CreateDirectory to create a directory and adjust the directory DACL. Calls to this function can be intercepted, the directory and the DACL can be replaced, and the manipulated DACL is written. Arbitrary DACL write is further achieved by creating a hardlink in a user-controlled directory that points to (for example) a service binary. The DACL is then written to this service binary, which results in escalation of privileges."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://medium.com/@tobiasgyoerfi/ea-origin-10-5-55-33574-createdirectory-arbitrary-dacl-write-privilege-escalation-cve-2019-19741-5f18adfabb27", "refsource": "MISC", "url": "https://medium.com/@tobiasgyoerfi/ea-origin-10-5-55-33574-createdirectory-arbitrary-dacl-write-privilege-escalation-cve-2019-19741-5f18adfabb27"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:25:12.703Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://medium.com/%40tobiasgyoerfi/ea-origin-10-5-55-33574-createdirectory-arbitrary-dacl-write-privilege-escalation-cve-2019-19741-5f18adfabb27"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19741", "datePublished": "2020-02-20T15:44:15", "dateReserved": "2019-12-12T00:00:00", "dateUpdated": "2024-08-05T02:25:12.703Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ea:origin:*:*:*:*:*:macos:*:*", "matchCriteriaId": "CEDBB112-07E8-42F6-9580-2FE2DB63E6DF", "versionEndExcluding": "10.5.56.33908", "vulnerable": true}, {"criteria": "cpe:2.3:a:ea:origin:*:*:*:*:*:windows:*:*", "matchCriteriaId": "D104148B-CBE0-445C-85DB-E9E3784729C7", "versionEndExcluding": "10.5.56.33908", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Electronic Arts Origin 10.5.55.33574 is vulnerable to local privilege escalation due to arbitrary directory DACL manipulation, a different issue than CVE-2019-19247 and CVE-2019-19248. When Origin.exe connects to the named pipe OriginClientService, the privileged service verifies the client's executable file instead of its in-memory process (which can be significantly different from the executable file due to, for example, DLL injection). Data transmitted over the pipe is encrypted using a static key. Instead of hooking the pipe communication directly via WriteFileEx(), this can be bypassed by hooking the EVP_EncryptUpdate() function of libeay32.dll. The pipe takes the command CreateDirectory to create a directory and adjust the directory DACL. Calls to this function can be intercepted, the directory and the DACL can be replaced, and the manipulated DACL is written. Arbitrary DACL write is further achieved by creating a hardlink in a user-controlled directory that points to (for example) a service binary. The DACL is then written to this service binary, which results in escalation of privileges."}, {"lang": "es", "value": "Electronic Arts Origin versi\u00f3n 10.5.55.33574, es vulnerable a una escalada de privilegios local debido a una manipulaci\u00f3n arbitraria de la DACL de directorios, un problema diferente de CVE-2019-19247 y CVE-2019-19248. Cuando el archivo Origin.exe se conecta a la tuber\u00eda llamada OriginClientService, el servicio privilegiado verifica el archivo ejecutable del cliente en lugar de su proceso en memoria (que puede ser significativamente diferente del archivo ejecutable debido, por ejemplo, a una inyecci\u00f3n de DLL). Los datos transmitidos por medio de la tuber\u00eda son cifrados usando una clave est\u00e1tica. En lugar de enganchar la comunicaci\u00f3n de la tuber\u00eda directamente por medio de la funci\u00f3n WriteFileEx(), esto puede ser omitido enganchando la funci\u00f3n EVP_EncryptUpdate() de la biblioteca libeay32.dll. La tuber\u00eda toma el comando CreateDirectory para crear un directorio y ajustar la DACL del directorio. Las llamadas a esta funci\u00f3n pueden ser interceptadas, el directorio y la DACL pueden ser reemplazadas y la DACL manipulada es escrita. La escritura arbitraria de la DACL es lograda a\u00fan m\u00e1s mediante la creaci\u00f3n de un enlace f\u00edsico en un directorio controlado por el usuario que apunta (por ejemplo) a un binario de servicio. La DACL es entonces escrita en este binario de servicio, lo que resulta en una escalada de privilegios."}], "id": "CVE-2019-19741", "lastModified": "2024-11-21T04:35:17.757", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-20T16:15:11.390", "references": [{"source": "cve@mitre.org", "url": "https://medium.com/%40tobiasgyoerfi/ea-origin-10-5-55-33574-createdirectory-arbitrary-dacl-write-privilege-escalation-cve-2019-19741-5f18adfabb27"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://medium.com/%40tobiasgyoerfi/ea-origin-10-5-55-33574-createdirectory-arbitrary-dacl-write-privilege-escalation-cve-2019-19741-5f18adfabb27"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}