Dangerous vulnerabilities in Blizzard game files: Diablo III, Overwatch, Hearthstone, Starcraft II and others

The remote launch of malicious code on up to 500 million players' computers corresponds to a security bug in the " Blizzard Update Agent " for Windows. The tool listens on port 1120 / localhost and is responsible for executing installation commands, removing, changing settings, updating files, and other options related to repair or troubleshooting of Blizzard games.

How does the attacker have access to the "localhost" address if he does not know the public IP address of the player? Well, it does not have to (PoC).

$ curl -si hxxp: // localhost: 1120 / agent
HTTP / 1.0 200 OK
Content-Length: 359

        "pid": 3140.000000,
        "user_id": "S-1-5-21-1613814707-140385463-2225822625-1000",
        "user_name": "S-1-5-21-1613814707-140385463-2225822625-1000",
        "state": 1004.000000,
        "version": "",
        "region": "us",
        "type": "retail",
        "opt_in_feedback": true,
        "session": "15409717072196133548",
        "authorization": "11A87920224BD1FB22AF5F868CA0E789"

The URL " hxxp://localhost:1120/agent " will be available to the attacker without authentication if a socially-tricked player visits a malicious website and sends a command to install the malware through a Blizzard agent. And how!

An attack called " DNS rebinding " causes the victim browser to run JavaScript code in the context of a given page, omitting Security Same Origin Policy. This is done by the fact that the browser refers to the IP address or domain substituted by the attacker in the local network as a domain belonging to the cheater. As a consequence, malicious scripts on the attacker's site have access to the localhost. In this case, it is a Blizzard Update Agent that listens for commands on port 1120.

Blizzard PoC

According to Activision statistics, the Blizzard Update Agent can be used by over 500 million players. The scale of the threat is huge.

Is there an update? Is. Blizzard Update Agent version 5996 was silently patched - representatives of the company who had previously contacted Tavis (discoverer of the vulnerability) stopped responding to his emails. Tavis reviewed the 5996 version once again and concluded:

Blizzard are no longer replying to any inquiries, and it looks like in version 5996 the agent now has been silently patched with a bizarre solution. Their solution appears to be the client's command line, get the 32-bit FNV-1a string hash of the exename and then check if it's in a blacklist. I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple. I'm not pleased that Blizzard pushed this patch.

So it looks like the problem is only partially fixed. The attacker still has a "gate" in the solution that Blizzard offered. Players remain waiting for the Blizzard Update Agent version greater than 5996.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.