In the case of Galaxy, we have to look into local TCP traffic. Various launchers are using different protocols, some are based on the file interfaces, some are using pipes. The GOG Client needs to somehow communicate with the service. The ability to start the service on demand will be very useful at the end of the attack. By verifying its permissions, we can see that it can be also manually started or stopped by any user. The service is automatically started during the initialization of GOG Client. The full list of commands will be covered further in the article. The commands do not allow for arbitrary code execution per se, instead, the protocol defines a number of privileged commands, such as FixDirectoryPrivilegesRequest that can be used to take over any file. There are no origin, authentication or authorization verification mechanisms involved, and any valid command send to the service will result in execution with SYSTEM privileges. Service’s binary Galax圜lientService.exe does not properly restrict commands sent via a local TCP connection. This vulnerability has been assigned identifier CVE-2019-15511. The oldest version that I could find was GOG Galaxy 1.0.2.958. Affected are all previous versions (including previous builds of Galaxy 2.0 Beta). The fix was deployed on in version 1.2.60. The vulnerability has been reported on August 22nd and was recently fixed. In this article, I would like to cover the vulnerability discovered in GOG Galaxy. The role of such a component may be to allow seamless game installations, moving files around or simply installing updates. Their typical architecture is quite similar and usually includes at least one component which is running with higher privileges – often with SYSTEM privileges. The potential impact of security issues discovered in those platforms may be quite huge. Very often, to install the game, a user has to use specific platforms – some of the games are distributed using Steam, some using Epic Games store… Apart from that, separate platforms may be needed to actually launch the game or to interact with its social features. Modern games are installed by billions of users. I’ve recently started looking at the security posture of various games-related platforms as they look like a rather promising target. The attacker may exploit this vulnerability to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. This article covers a vulnerability discovered in GOG Galaxy, which may result in Local Privilege Escalation due to a lack of authorization of commands sent via a local TCP connection.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |