Starcraft 2 updating blizzard update agent
Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.To be clear, this means that *any* website can send privileged commands to the agent.He goes on to state that he did contact someone at Blizzard and provided all the information that he discovered. Well, since he reported the vulnerability, Blizzard hadn’t been in contact with Tavis.You’d think that one of the biggest gaming companies on the planet would love to know about something such as this.They even mention that the original fix he recommended is being worked on. We have a more robust Host header whitelist fix in QA now and will deploy soon.The executable blacklisting code is actually old and wasn’t intended to be a resolution to this issue. Not to mention that this vulnerability was in the wild for how long?Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist.I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple.
As for Tavis, huge thanks from a fellow Blizzard fan, for bringing light to this. The last thing I needed was for someone to set up a rogue website and run command the initiates downloads to my PC, or worse, even sending a command to wipe my files.According to Tavis, what Blizzard did was completely different than what he recommended. Of course, Tavis wasn’t too thrilled about the entire situation.Blizzard are no longer replying to any enquiries, and it looks like in version 5996 the Agent now has been silently patched with a bizarre solution. Brought to light by Tavis Ormandy, a vulnerability researcher over at Google, has documented a vulnerability that could allow anyone to send commands to Blizzard Update Agent.Now anyone familiar with the agent, you know that this is installed with the Blizzard Launcher.
The API is a wrapper around protobuf defined protocol over a websocket connection.