DNS error allows to hack millions of PCs on all Blizzard games

On January 22, Google researcher Tavis Ormandy discovered a Rebinding DNS error that allowed anyone to pretend to be a server to update and distribute malicious code when Update Agent thought it was a game update.

Specifically, according to the bug report, the Blizzard Update Agent contains a JSON RPC server that other applications send commands to interact with the Agent. According to Ormandy, he can use the browser and bring JavaScript code to users, attack the server and "force" the Agent's update server to the infected server.

The Blizzard Update Agent is silently patched

After Ormandy revealed this error on Twitter and said that Blizzard patched it without saying anything.

The Blizzard Update Agent update (version 5996) takes the name of the application when sending the command to the JSON RPC server, computes a 32-bit hash string FNV-1a and compares it to the list of unauthorized applications.

The vulnerability fake Blizzard game updates

While Ormandy offered to use the whitelist, Blizzard came up with a blacklisted solution, which he considered "perfect and maintained" so the way Blizzard applied was too simple.

Maybe many other applications get the same error

Ormandy created a PoC page to simulate a DNS Rebinding attack using the Blizzard Update Agent.http://lock.cmpxchg8b.com/yah4od7N.html. There are also other sites to attack on other applications and to find other applications with similar errors. https://lock.cmpxchg8b.com/rebinder.html

Ormandy had earlier found this error in Transmission BitTorrent.

See more:

1. Quickly register to play Age of Empires 4K upgrade version of the graphic
2. Quickly download 6 games that are free for a short time
3. How to install the Rules Of Survival game on PC