Jump to content

GOG Galaxy has a severe 2 year old security vulnerability that is still unfixed

Master Disaster

In January 2020 a white hat hacker who runs a security business discovered a zero day exploit in CDPR's Galaxy client for its Good Old Games service. By injecting a DLL into the client it is possible to gain system administrator permissions (that's system administrator as in the Windows system user, not just a user admin login session) and from there, run arbitrary code. This bug was given a rating of 7.8 out of 10 by the NVD (source) and the hacker followed the ethical disclosure guidelines outlined by Google by first informing CDPR privately. For their part, CDPR issued a patch pretty quickly however this wasn't a fix, all they did was change a key and within days the new key was found and the hack worked again. CDPR also tried the old "well it requires the PC to already be compromised therefore its not that bad" defence.

Quote

GOG has a vulnerability exploit that has been seemingly ignored by the CD Projekt RED subsidiary ever since it was first sighted. The exploit was first archived as a vulnerability by the National Vulnerability Database (NVD) in August 2020. This vulnerability allows for local privilege escalation from any authenticated user to SYSTEM.

 

This exploit essentially allows users to inject DLLs into GOG's Galaxy client. Simply put, GOG can be used to escalate privileges. Thus, users can gain an administrative role in the system itself. This can essentially open the way for hackers to gain access to supply chain attacks on different systems.

 

As the NVD Database entry puts it:

The client (aka GalaxyClientService.exe) in GOG GALAXY through 2.0.41 (as of 12:58 AM Eastern, 9/26/21) allows local privilege escalation from any authenticated user to SYSTEM by instructing the Windows service to execute arbitrary commands. This occurs because the attacker can inject a DLL into GalaxyClient.exe, defeating the TCP-based "trusted client" protection mechanism.

Needless to say, any user profile can give itself administrative privileges through GOG Galaxy and then gain access to every computer where the GOG Client is installed. The exploit was originally discovered by white hat hacker and Positron Security Founder Joseph Testa. However, that happened in January 2020.

 

GOG reacted by releasing an update that would fix this issue. However, it was found that this simply updated the signing key used for verifying messages. This key has been recovered and the proof-of-concept has been updated with it. So yes, the exploit still works, unmodified, and has been reported as a 0-day vulnerability in GOG's Galaxy client.

And here's a summery of the conversation thread, the full thing is (here)

Quote

GOG.com Support replied with:

“I was informed that our Developers are working on fixing the issue, but executing the attack requires the machine to be already compromised.”

 

Because this sounded like GOG was not taking the issue seriously, I responded with:

“It is indeed true that an attacker must have low-privilege access to the machine already. But the problem is that this can be escalated into Administrator rights by abusing the GalaxyClientService software. […] Local privilege escalation (LPE) is a serious vulnerability.

 

GOG customers may install software/games from other untrusted sources without Administrator rights, which normally would protect them from full system compromise. Unfortunately, due to the vulnerabilities I’ve discovered in GalaxyClientService, all user accounts are effectively administrators.”

CDPR, after 3 months and one failed patch asked for another 3 months to fix the issue, at that point the white hat disclosed it, the NVD gave it its rating and 20 months later (23 months since they were first notified) it remains unpatched. CDPR have responded by saying

Quote

We’re aware of the security issue in GOG GALAXY and we confirm that the works on the fix are ongoing. It turned out to be a very complex matter and require changes made to the design of the client itself. As always, we will inform users about the fix in the GOG GALAXY changelog once the patch is deployed. Furthermore, we want to reassure everyone that security topics are important to us and we take all of them seriously.

Currently the PoC doesn't actually work and causes Galaxy to crash however its unknown if CDPR have changed something temporarily until they can fix it properly or if the PoC method is just out of date.

Quote

In its current form, the proof of concept exploit outlined by Joseph Testa only causes the Galaxy client to crash. As such, it can easily be inferred that this might be a temporary measure made by CDPR to prevent any attacks from happening while they work on solving this issue. Of course, this could also mean that the exploit no longer works with the outdated proof of concept and can be accessed by malicious attackers with a more refined process.

 

You can watch a comprehensive timeline of events that outlines the severity of the exploit below in the YouTube video linked below.

Sources

WCCF - https://wccftech.com/gog-has-had-a-severe-internal-vulnerability-problem-for-nearly-2-years/

NVD - https://nvd.nist.gov/vuln/detail/CVE-2020-24574

White hats blog - https://www.positronsecurity.com/blog/2020-08-13-gog-galaxy_client-local-privilege-escalation_deuce/

And for a much deeper dive you can watch this video...

My thoughts

 

Not a good look for CDPR after the clusterfuck that was CP2077 and the hacker the pwned their entire network.

 

How can any company, let alone a computer software one, be so security inept?

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to comment
Share on other sites

Link to post
Share on other sites

39 minutes ago, Master Disaster said:

How can any company, let alone a computer software one, be so security inept?

Because failure pays... until it doesn't.

Edited by StDragon
Link to comment
Share on other sites

Link to post
Share on other sites

Thankfully, GoG Galaxy isn’t required to buy and download games from them. I just download the standalone .exe files. 
 

Still not an excuse, but on the other hand, they’re the only game in town for DRM-free games. 

My eyes see the past…

My camera lens sees the present…

Link to comment
Share on other sites

Link to post
Share on other sites

But man, I do love how we handle permissions. Just throw them out the windows and hope you dont get ...

Cybersecurity, in cyberpunk release in 2077

Quote

it is possible to gain system administrator permissions (that's system administrator as in the Windows system user, not just a user admin login session)

Link to comment
Share on other sites

Link to post
Share on other sites

Better work on a fix for severe vulnerability fast.

| Ryzen 7 7800X3D | AM5 B650 Aorus Elite AX | G.Skill Trident Z5 Neo RGB DDR5 32GB 6000MHz C30 | Sapphire PULSE Radeon RX 7900 XTX | Samsung 990 PRO 1TB with heatsink | Arctic Liquid Freezer II 360 | Seasonic Focus GX-850 | Lian Li Lanccool III | Mousepad: Skypad 3.0 XL / Zowie GTF-X | Mouse: Zowie S1-C | Keyboard: Corsair K63 Cherry MX red | Beyerdynamic MMX 300 (2nd Gen) | Acer XV272U | OS: Windows 11 |

Link to comment
Share on other sites

Link to post
Share on other sites

What I actually got from the article is that a fix is ongoing but requires more or less a complete backend redesign in how the software handles game installation and so implemented some form of stop-gap measure while the fix for the underlying cause was worked on without telling anyone in order trip anyone who did try to use the initial exploit up. 

Link to comment
Share on other sites

Link to post
Share on other sites

On 12/23/2021 at 8:24 PM, Zodiark1593 said:

Thankfully, GoG Galaxy isn’t required to buy and download games from them. I just download the standalone .exe files.

That method is naturally vulnerable for a similar type of issue as the .exe sits in a folder where the local user - and maybe a rough unprivileged local process - has write access to it and then it gets manually executed as admin to install the game.

(Windows may give you a yellow prompt for missing signature instead of a blue one, but that is not a substitute for a game launcher that mandates specific signatures to execute an installer)

 

A local privilege escalation counts as a very serious vulnerability in server environments because of how things work there.

In a home pc it matters but not necessary for severe damage, eg. a ransomware can claim all the user's files even without ever becoming admin.

Needs to be fixed nevertheless.

 

Not to take the blame off CDPR but I find gaming-related software has a pretty low respect to Windows' user/admin security barrier in general, eg. in Ubisoft uplay launcher I regularly met games that prompted me for admin privileges every time I started them.

         \   ^__^ 
          \  (oo)\_______
             (__)\       )\/\
Link to comment
Share on other sites

Link to post
Share on other sites

Quote

"customers may install software/games from other untrusted sources without Administrator rights, which normally would protect them from full system compromise. "

 

People, if anyone wants to run a game form an untrusted source, this is not the way to do it as it compromises the daily driver user account which is already very bad.

 

For this type of method to work one must have another (sacrificial) local account - different from the daily driver local user account - and locally running untrusted software without admin rights only makes sense there, to achieve some sort of protection.

(Even this assumes that important user files are in the home folder, system files are in protected folders, permissions are set up correctly, etc... sadly a lot of things not trivial to check as an everyday user.)

         \   ^__^ 
          \  (oo)\_______
             (__)\       )\/\
Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×