Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-3974: TALOS-2018-0640 || Cisco Talos Intelligence Group

An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy’s install directory. An attacker can overwrite an executable that is launched as a system service on boot by default to exploit this vulnerability and execute arbitrary code with system privileges.

CVE
#vulnerability#windows#microsoft#cisco#intel#auth

Summary

An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy’s install directory. An attacker can overwrite an executable that is launched as a system service on boot by default to exploit this vulnerability and execute arbitrary code with system privileges.

Tested Versions

Gog Galaxy 1.2.45.61 (Windows 64-bit Installer)

Product URLs

https://www.gog.com/galaxy

CVSSv3 Score

9.3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-276: Incorrect Default Permissions

Details

GOG Galaxy is a platform that allows users to launch, update and manage video games. By default, GOG Galaxy is installed in a directory that allows anyone on the system to have “full control.” This allows all users to read, write or modify arbitrary files in the install directory.

``` C:>icacls “C:\Program Files (x86)\GOG Galaxy” C:\Program Files (x86)\GOG Galaxy Everyone:(F) Everyone:(OI)(CI)(IO)(F) Everyone:(OI)(CI)(IO)(M,WDAC,WO,GA,DC) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

GalaxyClientService.exe is installed as a local service that is run with NT AUTHORITY\SYSTEM privileges and allows users to replace or modify the executable.

C:\>icacls "C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe"
C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe Everyone:(I)(F)
                                                          NT AUTHORITY\SYSTEM:(I)(F)
                                                          BUILTIN\Administrators:(I)(F)
                                                          BUILTIN\Users:(I)(RX)
                                                          ORBIT\rjohnson:(I)(F)
                                                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                          APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

This command shows that the service runs with LocalSystem permissions.

C:\>sc qc GalaxyClientService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: GalaxyClientService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : GalaxyClientService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

This shows that this service is set to start manually on demand. GOG Galaxy installs a registry key to launch the GalaxyClient.exe on login, which in turn triggers the privileged service to run.

C:\tools\sysinternals>autorunsc64.exe -a l -m
-- snip --
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   GalaxyClient
     C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe /launchViaAutoStart
     GOG Galaxy
     GOG.com
     1.2.45.61
     c:\program files (x86)\gog galaxy\galaxyclient.exe
     7/10/2018 3:39 AM
--snip--

Mitigation

Users of GOG Galaxy can replace the Full Control permission with Read and Execute for the Everyone group on the GOG Galaxy install directory and ensure all file system objects below that path inherit from the parent directory.

Timeline

2018-09-10 - Vendor Disclosure
2018-11-29 - Vendor Patched
2019-03-26 - Public Release

Discovered by Richard Johnson of Cisco Talos.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907