16:35:20.724 : Failed verification in message 'LaunchElevatedRequest'. In the log file we see a message claiming that verification failed: Unfortunately (again), making any modifications to the command results in an error. Naturally, my next move was to change the request to try to run another executable. Next, I whipped up a simple Python tool to replay this message. Unfortunately, it’s a binary protocol of some kind (and not something easy to understand like HTTP). So I fired up Wireshark to see what they look like: 14:54:51.804 : RunUserProcess will use SYSTEM impersonation for elevated process: "C:\ProgramData\GOG.com\Galaxy\redists\GalaxyUpdater.exe" /clientUpdatePath="C:\Program Files (x86)\GOG Galaxy" /globalRedistUpdatePath="C:\ProgramData/GOG.com/Galaxy/redists" /previousClientVersion="1.2.64.2" /redistUpdatePath="C:\ProgramData/GOG.com/Galaxy/redists" /silent /updateClient /updateRedist /updateStrategy="BackgroundPrefetch" Its log file, C:\ProgramData\GOG.com\Galaxy\logs\Galax圜lientService.log, shows requests come in that have commands to update the software using elevated privileges: Local Privilege EscalationĪfter installing the GOG Galaxy client v1.2.64, I observed that a Windows service named Galax圜lientService runs with SYSTEM privileges and listens on localhost:9978 for connections. UPDATE (Augat 5:23PM EST): This issue can be tracked with CVE-2020-7352. Read on to learn the detailed steps taken to find these issues. GOG responded that these are still under investigation. It is unknown if a fix was issued for the v1.2 branch.įurthermore, other suspected weaknesses were found due to lax file system permissions. Unfortunately, I was not notified of this until April 28, 2020–the 90-day deadline as per Google’s vulnerability disclosure policy. GOG fixed this issue in v2.0.13, released on February 25, 2020. An audit of its security (for versions 1.2.64 and 2.0.12.48) revealed a critical local privilege escalation flaw that allows the execution of arbitrary commands as SYSTEM. The GOG Galaxy client is video game management software published by GOG.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |