CVE-2018-3974
An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy’s install directory. An attacker can overwrite an executable that is launched as a system service on boot by default to exploit this vulnerability and execute arbitrary code with system privileges.
Gog Galaxy 1.2.45.61 (Windows 64-bit Installer)
9.3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-276: Incorrect Default Permissions
GOG Galaxy is a platform that allows users to launch, update and manage video games. By default, GOG Galaxy is installed in a directory that allows anyone on the system to have “full control.” This allows all users to read, write or modify arbitrary files in the install directory.
``` C:>icacls “C:\Program Files (x86)\GOG Galaxy” C:\Program Files (x86)\GOG Galaxy Everyone:(F) Everyone:(OI)(CI)(IO)(F) Everyone:(OI)(CI)(IO)(M,WDAC,WO,GA,DC) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
GalaxyClientService.exe is installed as a local service that is run with NT AUTHORITY\SYSTEM privileges and allows users to replace or modify the executable.
C:\>icacls "C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe"
C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
ORBIT\rjohnson:(I)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
This command shows that the service runs with LocalSystem permissions.
C:\>sc qc GalaxyClientService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: GalaxyClientService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : GalaxyClientService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
This shows that this service is set to start manually on demand. GOG Galaxy installs a registry key to launch the GalaxyClient.exe on login, which in turn triggers the privileged service to run.
C:\tools\sysinternals>autorunsc64.exe -a l -m
-- snip --
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GalaxyClient
C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe /launchViaAutoStart
GOG Galaxy
GOG.com
1.2.45.61
c:\program files (x86)\gog galaxy\galaxyclient.exe
7/10/2018 3:39 AM
--snip--
Users of GOG Galaxy can replace the Full Control permission with Read and Execute for the Everyone group on the GOG Galaxy install directory and ensure all file system objects below that path inherit from the parent directory.
2018-09-10 - Vendor Disclosure
2018-11-29 - Vendor Patched
2019-03-26 - Public Release
Discovered by Richard Johnson of Cisco Talos.