GOG Galaxy 1.2.48.36 Remote Code Execution Vulnerability

Summary

An exploitable local privilege elevation vulnerability exists in the file system permissions of the `Temp` directory in GOG Galaxy 1.2.48.36 (Windows 64-bit Installer). An attacker can overwrite executables of the Desktop Galaxy Updater to exploit this vulnerability and execute arbitrary code with SYSTEM privileges.

Credit:

The information has been provided by Richard Johnson 
The original article can be found at: https://talosintelligence.com/vulnerability_reports/TALOS-2018-0722


Details

GOG Galaxy is a platform that allows users to launch, update and manage video games. By default, GOG Galaxy extracts the executables for the automatic update function in a directory that allows anyone on the system to have “full control.” This allows all users to read, write or modify arbitrary files related to the GOG Galaxy Updater Service. The executables include sensitive data, such as a root CA, as well as executables that will be run with SYSTEM privileges once they are installed, allowing an attacker to overwrite them prior to installation to achieve arbitrary code execution with SYSTEM privileges.

“` C:>icacls.exe “C:\ProgramData\GOG.com\Galaxy\temp\desktop-galaxy-updater” C:\ProgramData\GOG.com\Galaxy\temp\desktop-galaxy-updater Everyone:(I)(F)

Vulnerable Systems:

  • GOG Galaxy 1.2.48.36

CVE Information:

CVE-2019-4048

Disclosure Timeline:
Publish Date:05/30/2019

Categories: News