Some detail has been disclosed about a zero-day vulnerability in the Unity Web Player browser plugin that can allow an attacker to use a victim’s credentials to read messages or otherwise abuse their access to online services.
The partial disclosure was made after nearly six months of bug-report submissions from Finnish researcher Jouko Pynnonen to Unity that went unanswered. Pynnonen said Unity Technologies today acknowledged the bug reports and is working on a patch and improving its security response.
Unity Technologies develops the Unity Web Player alongside its game engine used to develop games for Windows PCs, Mac OS X machines, gaming consoles and mobile devices. Facebook also uses the Unity Web Player in many of its games and has an SDK it offers to embed Facebook features in games. Unity Technologies said the player has been downloaded more than 125 million times.
Despite its prevalence, a recent decision by Google to disable in Chrome 42 the NPAPI, a ’90s-era API that is notorious for crashes and poses some security concerns, mitigates this vulnerability to a large extent. In addition to the Unity Web Player being off by default (it can be re-enabled in settings for the time being before Google likely permanently disallows it), the move to shut off NPAPI affects other plugins including Java and Silverlight which are now also off by default.
“Chrome’s decision mitigates it quite a lot. In order to run the plugin, you’d have to do a modification in the settings. This possibly will be removed later,” Pynnonen said. “Without this modification, the Unity app simply won’t start.”
An attacker exploiting the vulnerability would first have to lure the victim to the attacker’s site hosting the malicious Unity app, or inject the app onto a legitimate site or Facebook game, for example. Pynnonen explains that the vulnerability allows the malicious Unity app to bypass cross-domain policies in place that prevent apps from accessing URLs and other resources from outside websites or the local filesystem. Exploiting this vulnerability in Internet Explorer, for example, allows an attacker to read locally stored files, Pynnonen said.
Pynnonen said a malicious app loaded from the attacker’s site would force the victim’s browser to redirect to a specially crafted URL, something that is supposed to be denied by the Unity app, but is instead allowed.
“In some cases (plugin/browser versions) a dotless decimal form of the target sites’s IP address must be used instead of the human-readable host name,” Pynnonen explains. “When using the dotless decimal notation, a crossdomain.xml file granting full access is required on the attacker’s website.”
Crossdomain.xml files can extend policies that prevent this kind of outside access.
In an example, Pynnonen demonstrates how after the application is loaded, it accesses a special URL on the attacker’s site and is returned a 301 redirection to Gmail. The browser then, with the user’s credentials, loads the victim’s email list back to the attacker where the exploit downloads individual email messages.
“The level of [victim] interaction depends on the browser and version. Running web plugins has become more and more restricted in the recent years and months, especially on Chrome,” Pynnonen said. “Some browsers have run the app directly when viewing the page. Some of them may ask whether it should be run. The user may have a choice to allow all Unity apps when running one for the first time, etc.
“If the plugin is allowed to start, it will automatically download the app and run it, embedded in the browser,” he said. “It’s supposed to run safely in a sandbox, like Flash apps or Java applets.”