We recently assessed the security posture of Electronic Arts Origin Client and discovered a privilege escalation issue that would allow a low privilege attacker to elevate privileges to NT AUTHORTY\SYSTEM. This has been recorded as CVE-2020-27708.
Origin is a digital distribution platform, by Electronic Arts, who own the brand EA Games. They acquired the trademark Origin when it purchased Origin Systems in 1992. The platform allows some reported 39 million  users to download and install games by Electronic Arts.
An initial look with procmon
First, we used the free SysInternals Process Monitor tool (procmon)  to look for any low-hanging fruit. Something immediately stood out; two system services looking for the directory
C:\platforms, which they were not able to locate.
In Microsoft Windows, any user is by default able to create a directory in the root of the C drive. So, we proceeded to do just this.
We followed this with a second run of procmon.
As can be seen in the second procmon output, a directory listing takes place on the
C:\platforms directory, which is interesting and something we made a note of.
A closer look with ProcessHacker
Our next course of action was to have a look at one of the service processes
OriginWebHelperService.exe process using another free tool called ProcessHacker . Something immediately stood out to us, which can be seen in the image below;
OriginWebHelperService.exe is loading a DLL
qwindows.dll from the directory
C:\Program Files (x86)\Origin\platforms\.
Because of the similar names,
C:\Program Files (x86)\Origin\platforms\, we decided to copy the contents of the
C:\Program Files (x86)\Origin\platforms\ directory into the
We then ran ProcessHacker again to view the loaded modules within
Surprisingly, this DLL was loaded directly into the
A bump in the road
The next step was to replace
qwindows.dll with our own malicious DLL that would open a command prompt on behalf of a low level user. This is where we hit a slight bump in the road. We could see in a procmon log that our DLL was being read, however it was then closed and the original
qwindows.dll was read from the Program Files path.
Using another free tool CFF Explorer  we took a look at
qwindows.dll has only two exported functions,
Looking at the sections within the
qwindows.dll there are two that stood out to us,
.qtmetad and `.gfids`. What if the Origin Client executables are scanning the DLL’s in the
C:\platforms directory and looking for these sections before loading the DLL?
We decided to find out and proceeded to copy the data from these two sections, adding the data to our own malicious DLL into sections with identical names.
Successful privilege escalation
The result was immediate; our DLL was loaded into the
OriginWebHelperService runs as Local Service, which is a low privilege account and requires some further effort in order to gain full NT AUTHORITY\SYSTEM privileges.
A recent paper by Antonio Cocomazzi  details several ways to break out of Local Service accounts by abusing the
SeImpersonatePrivilege. We could have attempted to use the “Chimichurri Reloaded” technique, for example .
However there is another service included with Origin, “Origin Client Service” which runs under the account NT AUTHORITY\SYSTEM and shares the same DLL hijacking vulnerability as the
At this point we changed our focus to “Origin Client Service”.
sdshow command of
sc.exe, the Windows Service Control tool, it was possible to view the security permissions of the Origin Client Service:
The Security Descriptor Definition Language (SDDL) output from the
sc sdshow command allows us to view the Security Descriptor, which suspiciously has an ACL for the well known SID string  “BU” is used which represents the BUILTIN\Users group.
More detail can be obtained using a PowerShell script :
This allowed us to determine that any user is able to start and stop the
OriginClientService.exe service process. This is an added bonus; we now don’t have to wait for reboot in order to execute our malicious payload; we can simply start the service and get as many elevated command prompts as we want:
While both the
OriginWebHelperService and the
OriginClientService were vulnerable to the issue, the path of least resistance was to exploit the
OriginClientService gaining system privileges directly.
CVE-2020-16091 for EA Games Origin Client
We were initially issued CVE-2020-16091 by MITRE, which exclusively describes the vulnerability in this post. Electronic Arts subsequently became a CNA and have issued a new CVE number, CVE-2020-27708, which merges a lower impact incarnation of this vulnerability with our original finding. We have opted to lead with CVE-2020-27708, with a reference to CVE-2020-16091 noted here to avoid confusion.
It takes a relatively low effort to audit for DLL path hijacks. Tools such as process monitor are freely available and should be leveraged as part of a products testing cycle.
Developers should also assess if they really need a service to run as NT AUTHORITY\SYSTEM. For most practical purposes, running a service under the Local Service account is just as effective and more secure; the Local Service account has various privilege restrictions, although is not immune to further privilege escalation itself  .
We identified this vulnerability in Electronic Arts Origin Windows client, version 10.5.77.42374 – 763270. The vendor has patched this vulnerability in version 10.5.87.45080 of the client.
- 27 July 2020 – Initial discovery
- 28 July 2020 – CVE-2020-16091 issued by MITRE
- 8 September 2020 – Electronic Arts informed of vulnerability
- 19 September 2020 – Electronic Arts granted CNA status
- 28 October 2020 – Electronic Arts issued CVE-2020-27708
- 29 October 2020 – Electronic Arts released patch
- 3 November 2020 – Nettitude release vulnerability analysis
- Origin has 39 million users – https://venturebeat.com/2013/01/30/origin-has-39-million-users-and-4-other-surprising-numbers-about-ea/
- Process Monitor – https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
- ProcessHacker – https://processhacker.sourceforge.io/
- CFF Explorer – https://ntcore.com/
- Well known SID strings – https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings
- Using PowerShell to view service ACL’s – https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/
- Windows Privilege Escalations: Still abusing Service Accounts to get SYSTEM privileges – https://www.romhack.io/dl-2020/RH2020-slides-Cocomazzi.pdf
- Chimichurri Reloaded – https://itm4n.github.io/chimichurri-reloaded/