a ransomware can claim all the user's files even without ever becoming admin. In a home pc it matters but not necessary for severe damage, eg. (Windows may give you a yellow prompt for missing signature instead of a blue one, but that is not a substitute for a game launcher that mandates specific signatures to execute an installer)Ī local privilege escalation counts as a very serious vulnerability in server environments because of how things work there. exe sits in a folder where the local user - and maybe a rough unprivileged local process - has write access to it and then it gets manually executed as admin to install the game. That method is naturally vulnerable for a similar type of issue as the. Thankfully, GoG Galaxy isn’t required to buy and download games from them. Unfortunately, due to the vulnerabilities I’ve discovered in Galax圜lientService, all user accounts are effectively administrators.”ĬDPR, after 3 months and one failed patch asked for another 3 months to fix the issue, at that point the white hat disclosed it, the NVD gave it its rating and 20 months later (23 months since they were first notified) it remains unpatched. GOG customers may install software/games from other untrusted sources without Administrator rights, which normally would protect them from full system compromise. Local privilege escalation (LPE) is a serious vulnerability. But the problem is that this can be escalated into Administrator rights by abusing the Galax圜lientService software. “It is indeed true that an attacker must have low-privilege access to the machine already. “I was informed that our Developers are working on fixing the issue, but executing the attack requires the machine to be already compromised.”īecause this sounded like GOG was not taking the issue seriously, I responded with: So yes, the exploit still works, unmodified, and has been reported as a 0-day vulnerability in GOG's Galaxy client.Īnd here's a summery of the conversation thread, the full thing is ( here) This key has been recovered and the proof-of-concept has been updated with it. However, it was found that this simply updated the signing key used for verifying messages. GOG reacted by releasing an update that would fix this issue. The exploit was originally discovered by white hat hacker and Positron Security Founder Joseph Testa. Needless to say, any user profile can give itself administrative privileges through GOG Galaxy and then gain access to every computer where the GOG Client is installed. This occurs because the attacker can inject a DLL into Galax圜lient.exe, defeating the TCP-based "trusted client" protection mechanism. The client (aka Galax圜lientService.exe) in GOG GALAXY through 2.0.41 (as of 12:58 AM Eastern, 9/26/21) allows local privilege escalation from any authenticated user to SYSTEM by instructing the Windows service to execute arbitrary commands. This can essentially open the way for hackers to gain access to supply chain attacks on different systems. Thus, users can gain an administrative role in the system itself. Simply put, GOG can be used to escalate privileges. This exploit essentially allows users to inject DLLs into GOG's Galaxy client. This vulnerability allows for local privilege escalation from any authenticated user to SYSTEM. The exploit was first archived as a vulnerability by the National Vulnerability Database (NVD) in August 2020. GOG has a vulnerability exploit that has been seemingly ignored by the CD Projekt RED subsidiary ever since it was first sighted.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |