![]() ![]() Of course, this could also mean that the exploit no longer works with the outdated proof of concept and can be accessed by malicious attackers with a more refined process. As such, it can easily be inferred that this might be a temporary measure made by CDPR to prevent any attacks from happening while they work on solving this issue. In its current form, the proof of concept exploit outlined by Joseph Testa only causes the Galaxy client to crash. Furthermore, we want to reassure everyone that security topics are important to us and we take all of them seriously. As always, we will inform users about the fix in the GOG GALAXY changelog once the patch is deployed. It turned out to be a very complex matter and require changes made to the design of the client itself. We’re aware of the security issue in GOG GALAXY and we confirm that the works on the fix are ongoing. When Wccftech reached out to GOG earlier this week for comment regarding this situation, they replied with the following statement: Hell, why would a development team not fix something like this in their software? Too bad this is not the case, and your system is still vulnerable if you have GOG Galaxy 2.0 installed. My major concern is people assume that, since it has been so long past the 3-month timeline the developers proposed for a fix, that it has been fixed. As the poster of the Reddit thread that discovered that the exploit still works puts it: In other words, any user who installs Galaxy 2.0 will run the risk of having an attacker gain administrator access. In fact, as recently as September 2021, it's been confirmed that the GOG Galaxy 2.0 exploit continues to work. Of course, since the Advisory is currently online, that means that this fix wasn't provided after the 3-month time passed. Shortly afterward, GOG told Joseph that their developers needed three months to create a solution. Unfortunately, due to the vulnerabilities I’ve discovered in Galax圜lientService, all user accounts are effectively administrators.” GOG customers may install software/games from other untrusted sources without Administrator rights, which normally would protect them from full system compromise. Local privilege escalation (LPE) is a serious vulnerability. ![]() But the problem is that this can be escalated into Administrator rights by abusing the Galax圜lientService software. “It is indeed true that an attacker must have low-privilege access to the machine already. “I was informed that our Developers are working on fixing the issue, but executing the attack requires the machine to be already compromised.”īecause this sounded like GOG was not taking the issue seriously, I responded with: ![]() This conversation started on June 4, 2020, and the entire thread can be read in the link above. Joseph Testa posted a comprehensive analysis that detailed some of his conversations with GOG Support. ![]() So yes, the exploit still works, unmodified, and has been reported as a 0-day vulnerability in GOG's Galaxy client. This key has been recovered and the proof-of-concept has been updated with it. However, it was found that this simply updated the signing key used for verifying messages. GOG reacted by releasing an update that would fix this issue. The exploit was originally discovered by white hat hacker and Positron Security Founder Joseph Testa. Needless to say, any user profile can give itself administrative privileges through GOG Galaxy and then gain access to every computer where the GOG Client is installed. This occurs because the attacker can inject a DLL into Galax圜lient.exe, defeating the TCP-based "trusted client" protection mechanism. The client (aka Galax圜lientService.exe) in GOG GALAXY through 2.0.41 (as of 12:58 AM Eastern, 9/26/21) allows local privilege escalation from any authenticated user to SYSTEM by instructing the Windows service to execute arbitrary commands. ![]()
0 Comments
Leave a Reply. |