RCE in EA's Origin Desktop Client
Hello, and welcome! As you probably gathered by the title, today we will be going over a remote command execution vulnerability identified in EA’s Origin desktop client. This issue was both identified and reported by Dominik Penner and Daley Bee of Underdog Security.
What is Origin?
Origin is an online gaming, digital distribution and digital rights management platform developed by Electronic Arts that allows users to purchase games for PC and mobile platforms. Origin is home to gaming title giants such as Apex Legends, The Sims, and Battlefield.
What did we find?
We located a client-sided template injection, where we proceeded to use an AngularJS sandbox escape and achieve RCE by communicating with QtApplication’s QDesktopServices.
We were simply curious and looking around at the
origin2 URI handler, when we came across a parameter where we could supply data that would be echoed back to us in the Origin client, prompting us to start tinkering.
After some quick testing, we learnt that there was a client-sided template injection in the
What next!? We already knew due to prior tinkering that Origin ran on AngularJS. Thanks to amazing work by other researchers in the past, with a simple Google search, we can find plenty of working AngularJS sandbox escapes. We used these: link to payloads
With these payloads, we were able to escape the AngularJS sandbox using the template injection. This is the payload we used:
The entire payload ended up becoming:
We then learnt that by leveraging the in-client API, you can communicate with the QtApplication’s QDesktopServices.
To pop a calculator, we used the following payload:
As normal with an RCE, this would’ve allowed an attacker to execute any kind of commands their heart desired on a targets machine. Not good to say the least…
An attacker could also steal a users access token many of ways, for example, through LDAP:
Moral to the story Origin; sanitize your inputs!
Thank you for reading!