TECH NEWS – For a long time, CD Projekt’s digital store client GOG Galaxy had a serious security vulnerability!

The NVD, or the National Vulnerability Database, archived the vulnerability in August 2020, allowing any user to gain System-level access. A user can inject DLLs into the GOG Galaxy client and become an admin of the interface, thus enabling further attacks, as all Galaxy-installed PCs can be accessed this way!

The official description of NVD reads, “The client (aka GalaxyClientService.exe) in GOG GALAXY through 2.0.41 (as of 12:58 AM Eastern, 9/26/21) allows local privilege escalation from any authenticated user to SYSTEM by instructing the Windows service to execute arbitrary commands. This occurs because the attacker can inject a DLL into GalaxyClient.exe, defeating the TCP-based “trusted client” protection mechanism.”

Joseph Testa, the founder of Positron Security (also a white-hat hacker), discovered the vulnerability in January 2020. Almost TWO YEARS ago! To this, GOG responded in a statement that they would fix this with an update… which only changed the signing key that verifies messages, and the vulnerability is still active as it was before. It was also reported as a 0-day vulnerability in the GOG Galaxy client. Testa also published a detailed analysis of the vulnerability, including his communication with GOG customer support.

Quoting his post: “GOG.com Support replied with: “I was informed that our Developers are working on fixing the issue, but executing the attack requires the machine to be already compromised.” Because this sounded like GOG was not taking the issue seriously, I responded with: “It is indeed true that an attacker must have low-privilege access to the machine already. But the problem is that this can be escalated into Administrator rights by abusing the GalaxyClientService software. […] Local privilege escalation (LPE) is a serious vulnerability. GOG customers may install software/games from other untrusted sources without Administrator rights, which normally would protect them from a full system compromise. Unfortunately, due to the vulnerabilities I’ve discovered in GalaxyClientService, all user accounts are effectively administrators.””

GOG then asked Testa for three months to fix it, which of course, hasn’t been done, even though it could have been done several times since early 2020. According to a thread on Reddit, “My major concern is people assume that, since it has been so long past the 3-month timeline the developers proposed for a fix, that it has been fixed. Hell, why would a development team not fix something like this in their software? Too bad this is not the case, and your system is still vulnerable if you have GOG Galaxy 2.0 installed.” And GOG wrote this statement to WCCFTech: “We’re aware of the security issue in GOG GALAXY, and we confirm that the works on the fix are ongoing. It turned out to be a very complex matter and require changes made to the client’s design itself. We will always inform users about the fix in the GOG GALAXY changelog once the patch is deployed. Furthermore, we want to reassure everyone that security topics are important to us, and we take all of them seriously.”

Not so much if it’s still there after two years. Testa has also published a proof-of-concept of the vulnerability on Github, of course, somewhat cut back: all it can achieve is to crash the client. That said, it seems that CD Projekt is not closing on a high note this year after last year’s Cyberpunk fiasco…

Source: WCCFTech