Original Post from Talos Security
Richard Johnson and Tyler Bohan of Cisco Talos discovered these vulnerabilities.
The GOG Galaxy video game launcher contains multiple vulnerabilities that could allow a malicious actor to carry out a variety of attacks. GOG Galaxy Games is a video game storefront that allows users to purchase new games and launch them from their desktop.
In accordance with our coordinated disclosure policy, Cisco Talos worked with GOG to ensure that these issues are resolved and that an update is available for affected customers.
GOG Galaxy Updater Temp directory insecure file permissions local privilege elevation vulnerability (TALOS-2018-0722/CVE-2018-4048)
An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy’s `Temp` directory. An attacker can overwrite executables of the Desktop Galaxy Updater to exploit this vulnerability and execute arbitrary code with SYSTEM privileges. By default, GOG Galaxy extracts the executables for the automatic update function in a directory that allows anyone on the system to have “full control.” This allows all users to read, write or modify arbitrary files related to the GOG Galaxy Updater Service. The executables include sensitive data, such as a root CA, as well as executables that will be run with SYSTEM privileges once they are installed, allowing an attacker to overwrite them prior to installation to achieve arbitrary code execution with SYSTEM privileges.
GOG Galaxy Games directory insecure file permissions local privilege elevation vulnerability (TALOS-2018-0723/CVE-2018-4049)
An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy’s “Games” directory. An attacker can overwrite executables of installed games to exploit this vulnerability and execute arbitrary code with elevated privileges. By default, GOG Galaxy installs games in a directory that allows anyone on the system to have “full control.” This allows all users to read, write or modify arbitrary files in the “Games” directory. If the installed games include a privileged installer component, such as a DirectX installer, Visual Studio redistributable, the attack can obtain Administrative access. Users can also elevate to other user accounts by overwriting arbitrary executables.
GOG Galaxy Games changeFolderPermissionsAtPath privilege escalation vulnerability (TALOS-2018-0724/CVE-2018-4050)
An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy Games. An attacker can globally adjust folder permissions leading to the execution of arbitrary code with elevated privileges. The vulnerability arises in the `changeFolderPermissionsAtPath`. This function takes a path as its first argument and changes the permissions of the folder and all files located there to be globally readable writeable and executable. This could allow an attacker to change privileged folders on the file system crossing a privilege boundary and creating an exploitable situation.
GOG Galaxy Games createFolderAtPath privilege escalation vulnerability (TALOS-2018-0725/CVE-2018-4051)
An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy’s Games, version 1.2.47 for macOS. An attacker can globally create directories and subdirectories on the root file system, as well as change the permissions of existing directories. The vulnerability arises in the `createFolderAtPath`. This function takes a path as its first argument and creates a folder at that location. The function also builds any nested directories that are needed. These directories are owned by a root wheel but have global read write and execute set abilities. This creates a privilege escalation vulnerability, allowing an attacker to modify the root file system.
GOG Galaxy Games fillProcessInformationForPids information leak vulnerability (TALOS-2018-0726/CVE-2018-4052)
An exploitable local information leak vulnerability exists in the privileged helper tool of GOG Galaxy’s Games. An attacker can pass a PID and receive information running on it that would usually only be accessible to the root user. The vulnerability arises in the `fillProcessInformationForPids`. If an attacker passes in values of root processes during this function, sensitive information is returned, creating an information disclosure vulnerability.
GOG Galaxy Games privileged helper denial-of-service vulnerability (TALOS-2018-0727/CVE-2018-4053)
An exploitable local denial-of-service vulnerability exists in the privileged helper tool of GOG Galaxy’s Games. An attacker can send malicious data to the root-listening service, causing the application to terminate and become unavailable. Each function in the privileged helper expects a closure to be passed along for the reply. There is no checking the type or validity of the closure before using it. By passing in a null value, the program responds with a particular stack trace. It may be possible to send in an alternative type for the closure to gain code execution. However, as it is, there is a denial-of-service vulnerability, leading to a lack of availability of resources.
Talos tested and confirmed that GOG Galaxy, version 18.104.22.168 is affected by this vulnerability.
Users are encouraged to update to the latest version of GOG Galaxy Games here as soon as possible in order to avoid these vulnerabilities. As they all come from different functions, there is no one, clear workaround and they can only be fixed through this patch.
The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 48433, 48434
Go to Source