A Google security researcher has discovered a severe vulnerability in Blizzard games, played every month by half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II.

To play Blizzard games online using web browsers, users need to install a game client application, called ‘Blizzard Update Agent,’ onto their systems that run JSON-RPC server over HTTP protocol on port 1120, and “accepts commands to install, uninstall, change settings, update and other maintenance related options.

Google’s Project Zero team researcher Tavis Ormandy discovered that the Blizzard Update Agent is vulnerable to a hacking technique called the “DNS Rebinding” attack that allows any website to act as a bridge between the external server and your localhost.

Windows 7-2017-12-08-16-09-45dns-rebinding-attack-hacking-exploit

Did you like what you read? Don’t miss any more posts by subscribing our newsletter now!

 

The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc’s are from a legitimate source, it looks like this:

$ curl -si http://localhost:1120/agent
HTTP/1.0 200 OK
Content-Length: 359

{
        "pid" : 3140.000000,
        "user_id" : "S-1-5-21-1613814707-140385463-2225822625-1000",
        "user_name" : "S-1-5-21-1613814707-140385463-2225822625-1000",
        "state" : 1004.000000,
        "version" : "2.13.4.5955",
        "region" : "us",
        "type" : "retail",
        "opt_in_feedback" : true,
        "session" : "15409717072196133548",
        "authorization" : "11A87920224BD1FB22AF5F868CA0E789"
}

This endpoint is permitted without authentication, but all other requests must have a valid “Authorization” header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property.

 

Creating a DNS entry to bind any attacker-controlled web page with localhost (127.0.0.1) and tricking users into visiting it, hackers can easily send privileged commands to the Blizzard Update Agent simply using JavaScript code.

 

References

https://bugs.chromium.org/p/project-zero/issues/detail?id=1471&desc=2
https://thehackernews.com/2018/01/dns-rebinding-attack-hacking.html