![]() ![]() The TCP request was coming from my custom process that had nothing to do with GOG Galaxy. I’ve changed “ temp” directory permissions (so that only SYSTEM could access it) and manually replayed the packet – as expected the permissions for Everone have been restored. If the action can be replayed, it means that there is no time-based signature or anything like that. The basic approach in this situation is to try to replay the packet. ![]() Everyone includes, well, everyone, hence it’s really interesting to see if the packet can be anyhow manipulated. After these packets were exchanged, the directory called C:\ProgramData\GOG.com\Galaxy\temp was modified and Full Control access was granted to Everyone group. The red traffic comes from the client, while blue traffic comes from the service. The service is using some custom-made protocol, but it’s quite easy to notice some patterns inside it. They contain detailed information about performed actions (including internal names), but also errors in case malformed packets are seen. Another useful source of information is logs written on the disk by the service itself. Having Procmon running at the same time allows correlating the packets with observed actions (e.g. Peeking into traffic sent over localhost is possible with newer versions of Wireshark with Npcap driver (packets don’t go over normal network drivers so special support is required). The TCP traffic exchanged between two processes, indicates that service is binding to port 9978/TCP right after it is started and the client briefly exchanges several requests with it. The communication between GOG Galaxy client and the service can be analyzed using Procmon from Sysinternals suite. In the case of Galaxy, we have to look into local TCP traffic. Various launchers are using different protocols, some are based on the file interfaces, some are using pipes. The GOG Client needs to somehow communicate with the service. ![]() The ability to start the service on demand will be very useful at the end of the attack. By verifying its permissions, we can see that it can be also manually started or stopped by any user. The service is automatically started during the initialization of GOG Client. The full list of commands will be covered further in the article. The commands do not allow for arbitrary code execution per se, instead, the protocol defines a number of privileged commands, such as FixDirectoryPrivilegesRequest that can be used to take over any file. There are no origin, authentication or authorization verification mechanisms involved, and any valid command send to the service will result in execution with SYSTEM privileges. Service’s binary Galax圜lientService.exe does not properly restrict commands sent via a local TCP connection. This vulnerability has been assigned identifier CVE-2019-15511. The oldest version that I could find was GOG Galaxy 1.0.2.958. Affected are all previous versions (including previous builds of Galaxy 2.0 Beta). The fix was deployed on in version 1.2.60. The vulnerability has been reported on August 22nd and was recently fixed. In this article, I would like to cover the vulnerability discovered in GOG Galaxy. ![]() The role of such a component may be to allow seamless game installations, moving files around or simply installing updates. Their typical architecture is quite similar and usually includes at least one component which is running with higher privileges – often with SYSTEM privileges. The potential impact of security issues discovered in those platforms may be quite huge. Very often, to install the game, a user has to use specific platforms – some of the games are distributed using Steam, some using Epic Games store… Apart from that, separate platforms may be needed to actually launch the game or to interact with its social features. Modern games are installed by billions of users. I’ve recently started looking at the security posture of various games-related platforms as they look like a rather promising target. The attacker may exploit this vulnerability to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. This article covers a vulnerability discovered in GOG Galaxy, which may result in Local Privilege Escalation due to a lack of authorization of commands sent via a local TCP connection. ![]()
0 Comments
Leave a Reply. |