Talos Vulnerability Report

TALOS-2018-0723

GOG Galaxy Games directory insecure file permissions local privilege elevation vulnerability

March 26, 2019
CVE Number

CVE-2018-4049

Summary

An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy’s “Games” directory. An attacker can overwrite executables of installed games to exploit this vulnerability and execute arbitrary code with elevated privileges.

Tested Versions

Gog Galaxy 1.2.48.36 (Windows 64-bit Installer)

Product URLs

https://www.gog.com/galaxy

CVSSv3 Score

9.3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-276: Incorrect Default Permissions

Details

GOG Galaxy is a platform that allows users to launch, update and manage video games. By default, GOG Galaxy installs games in a directory that allows anyone on the system to have “full control.” This allows all users to read, write or modify arbitrary files in the “Games” directory. If the installed games include a privileged installer component, such as a DirectX installer, Visual Studio redistributable, or some other run-once installer that executes with Administrator permissions, the attack can result in Administrative access. Users can also elevate to other user accounts by overwriting arbitrary executables.

``` C:>icacls.exe “C:\Program Files (x86)\GOG Galaxy\Games” C:\Program Files (x86)\GOG Galaxy\Games Everyone:(F) Everyone:(OI)(CI)(IO)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

C:\>icacls.exe "C:\Program Files (x86)\GOG Galaxy\Games\Wizardry 6"
C:\Program Files (x86)\GOG Galaxy\Games\Wizardry 6 Everyone:(I)(F)
                                                   Everyone:(I)(OI)(CI)(IO)(F)
                                                   NT SERVICE\TrustedInstaller:(I)(F)
                                                   NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                                   NT AUTHORITY\SYSTEM:(I)(F)
                                                   NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                                   BUILTIN\Administrators:(I)(F)
                                                   BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                                   BUILTIN\Users:(I)(RX)
                                                   BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                                   SPRITE\rjohnson:(I)(F)
                                                   CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                                   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                                   APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                                   APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

Mitigation

Users of GOG Galaxy can replace the “Full Control” permission with “Read and Execute” for the “Everyone” group on the GOG Galaxy “Games” directory and ensure all file system objects below that path inherit from the parent directory.

Timeline

2018-11-20 - Vendor Disclosure
2019-03-14 - Vendor Patched
2019-03-26 - Public Release

Credit

Discovered by Richard Johnson of Cisco Talos.