![]() ![]() Updating the Proof-of-ConceptĬue hours of re-implementing my Python proof-of-concept in C… I immediately thought that this check can be circumvented with DLL injection. That’s how it figures out that the request is coming from the Python interpreter instead of the legitimate client (Galax圜lient.exe). That’s a big hint! It looks like the privileged process, Galax圜lientService.exe, matches the network client’s source TCP port number with the executable process that opened the socket. 15:03:53.503 : Received a forbidden request from an untrusted sender. ![]() 15:03:53.503 : The sender was not recognized as a trusted client. 15:03:53.503 : Determined sender to be 'C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.7_.0_圆4_qbz5n2kfra8p0\python.exe' (PID: 8448) To start, I looked at the log file at C:\ProgramData\GOG.com\Galaxy\logs\Galax圜lientService.log to see if it reports anything when the old exploit is run. I’ve since had the chance to look at their fix more deeply. Unfortunately, because GOG never told me the issues were actually fixed on February 27, 2020, I didn’t have a chance to do an in-depth follow-up investigation before publishing the advisory. The day before issuing my original advisory on April 28, 2020, I ran the proof-of-concept exploits against the fixed versions (v1.2.67 and v2.0.14). Also, the following CVE ID has been assigned to this issue: CVE-2020-24574 Investigation of Prior Patch I contacted GOG.com Support to inform them of this, and their response on August 21 was: “The recent update to GOG GALAXY application (2.0.20) is unrelated to your report, it was released to address a different issue.” I do not know what different issue this was referring to. However, it was found that the proof-of-concept tool included in this advisory still works, unmodified. UPDATE ( 10:51PM): GOG released v2.0.20 that claims in the change log, “Security issue fix: Added checks that ensure the loaded. This advisory now describes a 0-day vulnerability in GOG Galaxy Client v2.0.19 because GOG did not respond in good faith with a proper patch in 90 days, as per Google’s vulnerability disclosure policy (which GOG was made aware of during the initial contact see Vendor Timeline, below). This key has been recovered, and the proof-of-concept has been updated with it. 13, 2020 5:11PM): After an investigation, it was found that GOG simply updated the signing key used for verifying messages. It is suspected that only minor changes were made to frustrate exploitation an investigation is ongoing (See update below). GOG did not reply that this issue was officially fixed, although changes were silently made at some point after the v2.0.15 release to stop the provided proof-of-concept tools from working. By updating the proof-of-concept exploit code, it is possible to execute arbitrary commands as SYSTEM in GOG Galaxy Client v2.0.13 through v2.0.15 v2.0.19 (the latest as of this writing). I reported a serious local privilege escalation flaw in GOG Galaxy Client on April 28, 2020, but my follow-up investigation (detailed below) found the vendor’s fix to be insufficient. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |