It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Forum: Are you aware of this public known security issue?

From nvd.nist.gov/vuln/detail/CVE-2020-24574

Current Description
The client (aka GalaxyClientService.exe) in GOG GALAXY through 2.0.41 (as of 12:58 AM Eastern, 9/26/21) allows local privilege escalation from any authenticated user to SYSTEM by instructing the Windows service to execute arbitrary commands. This occurs because the attacker can inject a DLL into GalaxyClient.exe, defeating the TCP-based "trusted client" protection mechanism.

The Proof of Concept github in case someone want to replicate the issue (and/or play the hacker in RL...)
github.com/jtesta/gog_galaxy_client_service_poc

I just realized this problem thanks to reaver894
posting a link to

youtube.com/watch?v=wNYnAgNACnk

--Your thoughts?--

Mine about opening a support ticket asking for answers: I will NOT because,
-My personal experience with GOG tickets is they never attend them (never answer at all and close them without any shame)
-I do not use GOG Galaxy

But, If there is a goodwill pilgrim with better luck/relation with support disposed to take it for the team, thanks in advance!
avatar
tag+: opening a support ticket
Try it! They've put a nonfunctional chatbot there as a gatekeeper.
It seems the gist of it is that through GOG Galaxy, a limited user account can become an administrator account.

GOG are already aware, as you can see from the one open ticket on the above POC, in particular this comment from September 26.

Personally, I don't see the sense in opening a support ticket for an issue they know about. In the past, the response has been "This is a known issue, but there's no ETA on a fix" after which nothing happens months later. In this case, it looks like this has been going on for over a year, not counting similar vulnerabilities that are apparently still not patched.

The current version is 2.0.44.218 but I don't see anything related to this in the change log since the aforementioned version. The latest version boasts better Epic Store integration, which may reveal something about GOG's priorities, or maybe I'm too cynical. I'm attaching a screenshot, since the change log on the site is outdated.
Attachments:
gg_2044.png (29 Kb)
low rated
This is old news and frankly, since Galaxy is smaller-scale and less used than Steam and other major clients, I don't think we have much to worry about unless you happen to download something that is specifically targeted at Galaxy users (which is unlikely). GOG should certainly fix it but there's probably a very low risk of actual problems for the average user.
low rated
yeah i knew this one, it is not a biggie
very hard to exploit as you probably need normal user access
can be done with many other apps
avatar
tag+: opening a support ticket
avatar
fronzelneekburm: Try it! They've put a nonfunctional chatbot there as a gatekeeper.
yeah it looks like gog degrades in every way possible , sadly :(
Post edited December 15, 2021 by Orkhepaj
avatar
tag+: --Your thoughts?--
It's mostly a non issue.

For this security issue to be use it needs somebody being able to gain access to your file system / OS, if they do then you have already much bigger issue than Galaxy.

While it's something that needs to be fixed, I understand why it's not a priority.
low rated
avatar
tag+: --Your thoughts?--
avatar
Gersen: It's mostly a non issue.

For this security issue to be use it needs somebody being able to gain access to your file system / OS, if they do then you have already much bigger issue than Galaxy.

While it's something that needs to be fixed, I understand why it's not a priority.
I second that
high rated
avatar
JakobFel: I don't think we have much to worry about unless you happen to download something that is specifically targeted at Galaxy users (which is unlikely).
You couldn't be more wrong. Privilege escalation is a real problem, because it means you're effectively trusting every single piece of code you run with administrator privileges, which means anything that runs ***can do anything***!

It's hard to overstate how bad this is. The attacker doesn't need physical access and doesn't need a direct connection. They just need to get you to run any code whatsoever with a side effect that targets GOG Galaxy and then they own your whole system. Do you really trust every single bit of code on every app on your system THAT MUCH? You shouldn't!

This is so bad that the responsible thing here would be to stop offering the GOG Galaxy client for download altogether until this is fixed. What CD Projekt Red has done here by continuing to distribute insecure software is really inexcusable. It makes their customers systems vulnerable and seems like the sort of thing that is very likely to end in a massive class action lawsuit which could bankrupt the company.

It makes me sad because I hate DRM and want GOG to succeed.

Also, until and unless this is fixed, if any anti-malware applications including Windows Defender start identifying vulnerable GOG Galaxy versions as a "potentially malicious app" then they aren't wrong.

(later edit) Just for clarity: An app allowing to run unsigned DLLs is not inherently a security vulnerability. Users being able to run unsigned code such as in DLLs is a good thing because it means they get to decide what does and does not run on their system. I have no problem with that and don't want the "walled garden" world of signed-code-only systems.

The problem is the PRIVILEGE ESCALATION. The unsigned code should be able to run, but NOT WITH ADMINISTRATOR PRIVILEGE.
Post edited December 15, 2021 by BenMcLean
avatar
BenMcLean: It's hard to overstate how bad this is. The attacker doesn't need physical access and doesn't need a direct connection. They just need to get you to run any code whatsoever with a side effect that targets GOG Galaxy and then they own your whole system. Do you really trust every single bit of code on every app on your system THAT MUCH? You shouldn't!
If an attacker managed to get you to run some suspect code on your PC you are usually already screwed unless your anti-virus blocks it, most of the stuff you download and run does requires admin privilege to install, if peoples wants to take full control of your PC they usually do it at that step, they don't need to rely on some Galaxy flaws to be able to do so.
Does GOG even have an infosec person on staff?
low rated
avatar
JakobFel: I don't think we have much to worry about unless you happen to download something that is specifically targeted at Galaxy users (which is unlikely).
avatar
BenMcLean: You couldn't be more wrong. Privilege escalation is a real problem, because it means you're effectively trusting every single piece of code you run with administrator privileges, which means anything that runs ***can do anything***!

It's hard to overstate how bad this is. The attacker doesn't need physical access and doesn't need a direct connection. They just need to get you to run any code whatsoever with a side effect that targets GOG Galaxy and then they own your whole system. Do you really trust every single bit of code on every app on your system THAT MUCH? You shouldn't!

This is so bad that the responsible thing here would be to stop offering the GOG Galaxy client for download altogether until this is fixed. What CD Projekt Red has done here by continuing to distribute insecure software is really inexcusable. It makes their customers systems vulnerable and seems like the sort of thing that is very likely to end in a massive class action lawsuit which could bankrupt the company.

It makes me sad because I hate DRM and want GOG to succeed.

Also, until and unless this is fixed, if any anti-malware applications including Windows Defender start identifying vulnerable GOG Galaxy versions as a "potentially malicious app" then they aren't wrong.

(later edit) Just for clarity: An app allowing to run unsigned DLLs is not inherently a security vulnerability. Users being able to run unsigned code such as in DLLs is a good thing because it means they get to decide what does and does not run on their system. I have no problem with that and don't want the "walled garden" world of signed-code-only systems.

The problem is the PRIVILEGE ESCALATION. The unsigned code should be able to run, but NOT WITH ADMINISTRATOR PRIVILEGE.
Again, unless you downloaded a trojan specifically targeted at this vulnerability (something that's very unlikely to happen), that won't happen. Even if it did, as Gersen said, you have bigger things to worry about in that case.
avatar
JakobFel: Again, unless you downloaded a trojan specifically targeted at this vulnerability (something that's very unlikely to happen), that won't happen. Even if it did, as Gersen said, you have bigger things to worry about in that case.
Like what? Releasing the most anticipated game in a long time and have hackers grab all your files?

or

1. Release game on gog which targets this.
2. Claim any antivirus alerts are false positives.
3. Use galaxy exploit.
4. ???
5. Profit.
low rated
avatar
BenMcLean: This is so bad that the responsible thing here would be to stop offering the GOG Galaxy client for download altogether until this is fixed. What CD Projekt Red has done here by continuing to distribute insecure software is really inexcusable. It makes their customers systems vulnerable and seems like the sort of thing that is very likely to end in a massive class action lawsuit which could bankrupt the company.

It makes me sad because I hate DRM and want GOG to succeed.
All the more reason for GOG to stop offering its proprietary client.
low rated
Thanks for sharing your thoughts folks.

What worries me the most is nobody here talks about the loooong time GOG is aware about the issue, their broken promises to fix it (or their proven incompetence when the security expert told them their fix did not work) and the outstanding period of time without a solution... Another priority item on GOG's to do list...

Maybe those are not issues, but ,,features,, and who is wrong is me! :(
I have not adapted to those happening all over the place with very few customers worried about it.
I keep thinking really hard about it.
avatar
JakobFel: Again, unless you downloaded a trojan specifically targeted at this vulnerability (something that's very unlikely to happen), that won't happen. Even if it did, as Gersen said, you have bigger things to worry about in that case.
I don't understand.

Why the hell would this be unlikely to happen?

It seems EXTREMELY likely to happen!!

Anyways, for the time being, I've uninstalled GOG Galaxy and will just be using the offline backup installers exclusively until this is fixed. If I really need multiplayer through the Galaxy client then I'll have to install it just during each session and uninstall immediately afterwards I guess.
Post edited December 15, 2021 by BenMcLean