Researchers used custom URL schemes to achieve XSS and a sandbox escape
The critical flaw (CVE-2021-33501), which has a CVSS score of 9.6, stems from how Overwolf mishandled custom URLs used by Windows applications to “run a particular installed application when invoked”, according to a security advisory from SwordBytes Security.
Unauthenticated attackers can achieve RCE on vulnerable clients by combining a reflected cross-site scripting (XSS) bug with a Chromium Embedded Framework (CEF) sandbox escape.
Overwolf has been used by around 30,000 developers to create more than 90,000 extensions for games including Fortnite, Among Us, and World of Warcraft.
Custom URL schemes are often used to navigate to a URL directly from the browser, which attackers can achieve “by redirecting valid users to a malicious link that abuses Overwolf’s custom URL handler ‘overwolfstore://’,” said Joel Noguera, SwordBytes founder and the researcher who discovered the RCE vulnerability.
When the Overwolf client is launched, the CEF application proceeds to parse and analyze the provided URL to determine which UI should be rendered, Noguera said.
Noguera, who is based in Argentina, said attackers had free rein to “craft different payloads that may produce unexpected results” because “there is no restriction on the values accepted by [the] application” during scheme parameters decoding.
Recounting the path to XSS, the researcher said that when the ‘SECTION’ portion of the URL – usually ‘overwolfstore://app/<SECTION>/<CATEGORY>/<EXTRAS>’ – is equal to ‘apps’”, the Overwolf Client generates a back-end request with the ‘CATEGORY’ value “in an attempt to obtain information about the extension being invoked”.
The ‘UNEXPECTED_VALUE’ is reflected in the response body as part of an error message, and the Content-Type” is set to ‘text/html’, he continued.
Reflected in the context of the Overwolf Store UI – “essentially a Chromium embedded browser (CEF)” – this response means “controlled content will be injected verbatim in the DOM”.
The XSS was possible, concluded Noguera, because of a “lack of sanitization of the CATEGORY’s value” and the aforementioned back-end error message.
Escaping the sandbox
“The main CEF process, ‘OverwolfBrowser.exe’, is running with the internal Overwolf flags enabled (--ow-enable-features and --ow-allow-internal), making it possible to call functions such as “overwolf.utils.openUrlInDefaultBrowser”, explained Noguera.
And “if a value such as ‘calc.exe’ is provided, a call to ‘CreateProcess’ will be made, and the binary ‘calc.exe’ will be executed, allowing attackers to run arbitrary commands”.
The researchers then leveraged ‘overwolf.io.writeFileContents’ to write a malicious batch file to ‘C:\windows\temp\’ that was executed via the ‘openUrlInDefaultBrowser’ method to achieve RCE.
“One-click attacks usually require attackers to trick the victim into performing minimal interaction,” Noguera told The Daily Swig. “In this particular case, attackers would need to convince the user to accept that the Overwolf application is going to be launched.
“It’s easy to assume that one simple click doesn’t represent a security risk, but sometimes that's not really the case. Once that action is allowed by the user, attacker would have control over the code being executed on their operative system.”
SwordBytes initiated contact with Overwolf Ltd on May 10, and the vendor released a hotfix addressing the issue on May 27. SwordBytes released the security advisory on May 31.
The vulnerability is present in Overwolf Client 0.169.0.22, although the advisory notes that “prior versions might also be affected”.
The latest Overwolf release, issued at the end of May, is version 0.170.
“I want to highlight the great work Overwolf did by fixing the bug as soon as possible,” Noguera said. “Once they received the information, they quickly reacted and started to work on a hotfix to protect their users.”
In response to an invitation to comment further, Overwolf simply told The Daily Swig that the fix requires no additional advice to users.
This article was updated on June 1 with comment from both SwordBytes and Overwolf
DON’T FORGET TO READ EPUB vulnerabilities: Electronic reading systems riddled with browser-like flaws