Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Overwolf is a software platform designed to help developers create extensions for video games, which are then offered to users through Overwolf’s App Store. These extensions help provide in-game services that are not normally possible in the game.

Overwolf uses Chromium Embedded Framework (CEF) in order to host the client application. Additionally, it has a custom URI scheme in order to make links and things for the application easy to navigate to.

The error page for an invalid extension ID is vulnerable to reflected XSS. The payload for the XSS is quite trivial, with nothing being escaped and data being directly added into the DOM. The example exploit provided by the article is overwolfstore://app/apps/<img src=x onerror=alert(document.location)>/4.

XSS within a website and a native application are two separate things. While browsers do a great job at isolating machine and application, native applications do not. Because of this, there is potential to escalate from XSS to code execution on the device. In order to do this, a CEF sandbox escape needs to be found.

In the application, the overwolf-extensions:// URI scheme was opening browsers via a direct call to CreateProcess. However, the application itself was calling the binary and using this to open up the browser. By replacing this parameter with another application, such as calc.exe, another application was ran! The issue was that no parameters could be provided to the binary.

Besides this functionality with the overwolf-extensions://, another piece of dangerous functionality was found: overwolf.io.writeFileContents. This gave access to an arbitrary file write primitive, allowing for bat files to be created.

Using the last two bugs together would allow for a file to be created (#2) and then an arbitrary binary to be executed (#1). This allowed for arbitrary code to be ran on the system from the context of the application. Because of the XSS earlier, this results in a one-click RCE.