New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GOG Galaxy Client Privilege Escalation Module #13444
Conversation
|
This should probably be implemented as a |
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
|
Hi Grant. Nope, I haven't gotten a CVE yet. Aside from @todb-r7, how
would one go about reserving one nowadays? Many moons ago, I would
contact Steve Christey from the CVE project directly... is that still a
thing?
…On 5/13/20 10:34 AM, Grant Willcox wrote:
@jtesta <https://github.com/jtesta> Hello Joe, have you gotten a CVE for
this bug yet? If not @todb-r7 <https://github.com/todb-r7> might be able
to assist.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13444 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAWYA6YS5KLDFSHI5XBAS5DRRKVX7ANCNFSM4M7KY2QA>.
--
Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security
|
So, I'm probably the easiest path for Metasploit stuff like this, but you're welcome to do it yourself at the CVE Request form, here: https://cveform.mitre.org/ (Doesn't look like GOG is a CNA). Let me know if you want to do it yourself, or let me. I'm happy to assign one of R7's research CVEs to this (with you listed as the discoverer, of course). As an aside, I saw in your writeup a screenshot of the private key you extracted from the binary. Would you mind contributing that to https://github.com/rapid7/ssh-badkeys ? That's basically the naughty step for misbehaving keys. |
|
Sure, you can make the CVE. And thanks for the info... next time I'll
reserve it myself to make things easier.
Regarding the private key extracted from the binary: its only used for
generating HMAC-512 tags, not for SSH. Would it still be appropriate to
submit it to the ssh-badkeys repo in that case?
…On 5/13/20 11:05 AM, Tod Beardsley wrote:
Hi Grant. Nope, I haven't gotten a CVE yet. Aside from @todb-r7
<https://github.com/todb-r7>, how would one go about reserving one
nowadays?
So, I'm probably the easiest path for Metasploit stuff like this, but
you're welcome to do it yourself at the CVE Request form, here:
https://cveform.mitre.org/ (Doesn't look like GOG is a CNA).
Let me know if you want to do it yourself, or let me. I'm happy to
assign one of R7's research CVEs to this (with you listed as the
discoverer, of course).
As an aside, I saw in your writeup a screenshot of the private key you
extracted from the binary. Would you mind contributing that to
https://github.com/rapid7/ssh-badkeys ? That's basically the naughty
step for misbehaving keys.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13444 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAWYA63FUQ2XKPPGTZ32BDLRRKZNBANCNFSM4M7KY2QA>.
--
Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security
|
Oh maybe https://github.com/BenBE/kompromat is more appropriate for this. If you like. Editing now to include the CVE! |
Freshly reserved! Not populated yet!
|
@jtesta I'm just a fan of over-sharing compromised keys, just in case they show up somewhere else. Distributed private keys should be double-tap killed. |
|
As @bcoles suggested, I moved the module into Documentation has been added as well. Does this PR need anything else? |
|
@jtesta Your documentation needs proper instructions on where to get the vulnerable versions as well as how to set them up. Also your section You can refer to @h00die's PR at https://github.com/rapid7/metasploit-framework/pull/13470/files for an example of how this should be formatted. Note the installation steps he provides, as well as the additional For your installer steps I took the liberty of finding some appropriate downloads from GOG Galaxy's official servers. They are: https://cdn.gog.com/open/galaxy/client/setup_galaxy_1.2.64.2.exe Given that the version number is a 4 part number, not a 3 part number, I would recommend updating your documentation to be more specific as to the versions affected. For example I couldn't find 1.2.64.0, nor could I find 1.2.64.1, so this is something that maybe should be considered in your explanation, whereby you could just say something like Otherwise looks good from an initial glance through, but will need to dive into this one deeper to check for additional issues. |
Please update the module to use Metasploit payloads rather than commands specified in module options. This will also require specifying the appropriate Optionally, you can also add a second |
|
Hi @jtesta, I really enjoyed your writeup on this vulnerability! Just installed the client on a Windows machine, tested out your module, and it works great. As for making the suggested changes, will you have any bandwidth anytime soon? If not, I'd be happy to assist and get your module across the finish line. Thanks! |
|
@space-r7 Glad you enjoyed the write-up! Unfortunately, I'm busy at the moment, but if you were able to help brush this up for merging, that would be great! |
Can do! Thanks so much! |
|
Didn't have much luck with adding an |
Release NotesThe GOG GalaxyClientService Privilege Escalation module that targets vulnerable versions of the gaming software known as GOG Galaxy Client. The |
|
@space-r7 Thank you so much for taking the lead on this and getting it merged! |
No problem! Thank you for the module! |
Tell us what this change does. If you're fixing a bug, please mention
the github issue number.
Please ensure you are submitting from a unique branch in your repository to master in Rapid7's.
Verification
List the steps needed to make sure this thing works
run post/windows/escalate/gog_galaxyclientservice_privescnewadminwas created.