PoC status update #1
Comments
|
This makes me really sad. I really really liked the application, but until they take security seriously I don’t want to re-install. I can’t believe how long it has taken them to fix this. Unless of course they are just ignoring it. |
|
....Just in case anyone was wondering, the PoC still works on GOG
Galaxy 2.0.35 (last tested as of time of wriitng this). [...] CVE-
2020-24574 is alive and well, yet.
I was wondering if they had fixed this yet. Thanks for testing it and
letting me know!
…--
Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security
|
|
Apparently there is a new beta out today that mentions: [Windows] Security fix for possible dll load order hijacking 2.0.37 Beta (March 29, 2021) Any ideas if this is the fix we have been waiting for? |
|
This has not been fixed. I tested it right now on the latest version of GOG Galaxy. I believe another security notice is in order, since it has been over a year and lo and behold it still works. |
|
Wow. I'm amazed that it hasn't been fixed!
I'm trying to think of what else I can do. I already posted this on
/r/netsec on Reddit last year. It got some good attention at the time
(but not enough, I guess).
I don't have a big social media presence, so ringing the bell again
won't help. Perhaps we could get someone with lots of followers to
make it known that this isn't fixed?
|
|
They don’t seem to care to fix this and I unfortunately gave up on galaxy a long time ago and this was a big reason. There were a couple other minor issues that they don’t seem to care to fix so I had to move in. It’s really a shame as the application is super useful otherwise. Even if you get some more eyes on the issue I would be surprised if it was fixed. |
|
This is truly unbelievable for a company of that size. I bailed a good long while ago for playnite (no regrets) but...how many people are just running around unaware with a wide-open, well-known local privilege escalation just...there? I figure the odds are high at this point that someone is exploiting this, no? |
|
The odds are extraordinarily high that someone is exploiting this in the wild. Considering it's a very easy attack vector, if you have a malicious program running on your computer with GOG Galaxy 2.0 installed, it's a 2 second injection that grants full administrator privileges. Like @jtesta said in his original article, "Unfortunately, due to the vulnerabilities I’ve discovered in GalaxyClientService, all user accounts are effectively administrators." This statement is true, and it appears that GOG doesn't care. I made a Reddit post that gained a decent amount of traction, including a response by a GOG rep. His response was almost identical to the one issued to jtesta, and shows no real danger or concern. They're basically saying "yeah we'll fix it eventually, it's not serious guys don't worry!" |
|
I'm currently sending a message to MITRE to get the version updated on the CVE at the minimum.
(narrator: they didn't) |
|
Oh, geez, its worse than I thought
that "e.g. physically" bit is insanely irresponsible. |
|
lmao so apparently there's two more priv. escalation things that they haven't even bothered to address https://daniels-it-blog.blogspot.com/2020/07/gog-galaxy-escalation-of-privileges.html these are basically the same bug-admittedly slightly less bad as they require user interaction-but good lord what a mess |
|
I'm currently writing a reply to the rep trying to indicate how serious this issue is. Thanks for finding that other privilege escalation issue. I also realized that the service is run with, not administrator, but SYSTEM privileges! This is absolutely ridiculous and insane to me, especially considering it's been over a year. |
|
happy 2022, gog still hasn't fixed their shit |
|
LOL, yup I have given up on it. Went back to steam and adding non steam shortcuts manually :/ |
|
not to shill, but i've been using playnite. does similar stuff w/ integration and also doesn't turn your computer into swiss cheese. |
|
oh cool it's broken and exploitable on Mac OS as well. 3 years later (and these guys also gave GOG a years notice) |
....Just in case anyone was wondering, the PoC still works on GOG Galaxy 2.0.35 (last tested as of time of wriitng this). Just compiled and tested it and was able to create a local user and add them to the local administrators group on a testbed system.
GOG has yet to fix the underlying issue, it seems. CVE-2020-24574 is alive and well, yet.
The text was updated successfully, but these errors were encountered: