![]() ![]() GOG customers may install software/games from other untrusted sources without Administrator rights, which normally would protect them from full system compromise. Local privilege escalation (LPE) is a serious vulnerability. But the problem is that this can be escalated into Administrator rights by abusing the Galax圜lientService software. “It is indeed true that an attacker must have low-privilege access to the machine already. “I was informed that our Developers are working on fixing the issue, but executing the attack requires the machine to be already compromised.”īecause this sounded like GOG was not taking the issue seriously, I responded with: ![]() This conversation started on June 4, 2020, and the entire thread can be read in the link above. Joseph Testa posted a comprehensive analysis that detailed some of his conversations with GOG Support. So yes, the exploit still works, unmodified, and has been reported as a 0-day vulnerability in GOG's Galaxy client. This key has been recovered and the proof-of-concept has been updated with it. However, it was found that this simply updated the signing key used for verifying messages. GOG reacted by releasing an update that would fix this issue. The exploit was originally discovered by white hat hacker and Positron Security Founder Joseph Testa. Needless to say, any user profile can give itself administrative privileges through GOG Galaxy and then gain access to every computer where the GOG Client is installed. This occurs because the attacker can inject a DLL into Galax圜lient.exe, defeating the TCP-based "trusted client" protection mechanism. The client (aka Galax圜lientService.exe) in GOG GALAXY through 2.0.41 (as of 12:58 AM Eastern, 9/26/21) allows local privilege escalation from any authenticated user to SYSTEM by instructing the Windows service to execute arbitrary commands. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |