GOG Galaxy - Escalation of Privileges incl. Code Execution
Product: GOG Galaxy Client for Windows
Version: 2.0.17
Tested on: Windows 10 Pro 2004 x64
Vendor informed: Not yet
PoC: This blog post
CVE: CVE-2020-15528 / CVE-2020-15529
As mentioned in one of previous posts I like old computer games. During the COVID-19 crisis many companies offered free games. One of these companies is GOG. Because I like old games and they are also for free now I played a few of them. To play these games I used GOG Galaxy; the steam counterpart from GOG but without DRM. After some hours of good old retro gaming I saw the GOG Galaxy client window and decided to do a quick analysis of the client. Let´s take a look at GOG Galaxy version 2.0.17 from a hackers point of view:
GOG uses client software called "GOG Galaxy" sometimes also called "GOG Galaxy 2.0". This software is used to manage games, chat with friends etc. (like Steam, Origin etc). GOG offers several free games, some of them are demo versions some are good old classic games and others are brand new blockbusters. In this post I will describe my findings in the Galaxy client. My findings for GOG DOSbox needs a separate post because it would be too much for only one post.
GOG Galaxy Client
When GOG Galaxy client (GC) is installed, a service called "GalaxyClientService" is also installed. This service is running as "NT AUTHORITY\SYSTEM"
GC (GOG Galaxy Client) interacts with this service to delegate tasks like installation of games, updates etc.
By default GC is installed under "C:\Program Files (x86)\GOG Galaxy". Some files/folders can be modified by regular users, some files/folders not. For example a user can modify the "Games" folder [No.1] but can not modify the plugins folder [No.2]:
When the user installs a game it will be installed (by default) in the "Games" folder. It makes sense that users can modify this folder because games will generate savegames, config files etc. and are usually not running elevated.
In this example I installed the game "Stargunner" which is free and also has a small installation size
During the installation I discovered that also a file called "scriptinterpreter.tmp" was created and executed elevated:
This file was also placed under "C:\Program Files (x86)\GOG Galaxy\Dependencies\__redist\ISI" and can be modified by the user
Now the attacker has different options:
1. Evil Game:
The attacker replaces the game executable with a malicious one. Because the game folder can be modified this is no challenge. To bypass UAC and run the evil game executable the attacker has to call GC to run the file elevated. This is achieved in the following way:
The attacker replaces the game executable. In the case of "Stargunner" it is DOSBox which has to be replaced because "Stargunner" will not run on modern OS.
The attacker replaces the game executable. In the case of "Stargunner" it is DOSBox which has to be replaced because "Stargunner" will not run on modern OS.
Note that the evil version of DOSBox requires administrative (elevated) rights to run. So if running this file directly will result in a suspicious UAC prompt like this:
To avoid this the attacker can use a feature of GC which runs games via GC instead of executing the file directly. This happens when the user clicks the "Play" button in GC or opens the shortcut on the desktop:
When we check the desktop shortcut we can see that a command is used to start the game via the GOG Galaxy client:
"C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /command=runGame /gameId=1207659693 /path="C:\Program Files (x86)\GOG Galaxy\Games\Stargunner"
"C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /command=runGame /gameId=1207659693 /path="C:\Program Files (x86)\GOG Galaxy\Games\Stargunner"
This command tells GC to start the game with id 1207659693 which is "Stargunner" in this case. This ID can also be found in the file "C:\ProgramData\GOG.com\Galaxy\storage\etags-updater.db" which can be read with tools like SQLite Browser. So all what the attacker now has to do is run the command "C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /command=runGame /gameId=1207659693" (path is not needed) to execute the evil version of DOSBox. Running the command instead of hoping that the user clicks "Play" has the advantage that it can be used even if GC is not running. After executing the command GC will start and tell the service to execute evil DOSBox. No UAC prompt is shown and the evil version of DOSBox is executed elevated.
An attacker can stop here because code has already been executed elevated but the attacker can also modify the registry autostart entry for GC
The attacker now modifies this registry key to "C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe" /command=runGame /gameId=1207659693" to execute evil DOSBox at every user login:
2. Evil Uninstall
This method can also be used to place a malicious uninstaller. An attack can look like this:
The local attacker replaces the uninstaller in a game folder:
When the user uninstalls the game...
3. Evil Repair
As described at the beginning of this post the file "scriptinterpreter.exe" was created during the installation. This file can be modified by regular users. But it can not just be replaced with a malicious one. When this file is executed via the "GalaxyClientService" service it is downloaded and overwritten every time. However also this can be bypassed to run a malicous version. This has the advantage (compared to "Evil Game") that the game will still run as expected. It can be exploited in the following way:
The attacker damages the game by deleting one (or more) game files. In the case of "Stargunner" I deleted the main executable "STARGUN.EXE" so the game will not work anymore and DOSBox will close directly after one second. The easiest and also most common way of fixing this running the "Verify/Repair" option in GC:
As mentioned earlier "scriptinterpreter.exe" is downloaded and recreated every time. So it can not just be replaced and the replaced file will be executed. However with the help of opportunistic locks (oplocks) the attacker can still replace it.
The attacker will set an oplock on "C:\Windows\SysWOW64\winsta.dll". When the user runs the "Verify/Repair" option the oplock will be triggered and the attacker can replace "scriptinterpreter.exe" with a malicious one:
Now the attacker releases the lock and "scriptinterpreter.exe" will be executed elevated:
4. Evil Install
The same method can also be used when games are installed: Attacker sets oplock; oplock gets triggered by game installation; once the oplock is triggered "C:\Program Files (x86)\GOG Galaxy\Dependencies\__redist\ISI\scriptinterpreter.exe" will be replaced by a malicious one; once the oplock is released "scriptinterpreter.exe" will be executed elevated.
5. Evil Service
Last but not least: A local attacker can use of the methods described to gain elevated rights. After that the attacker replaces the "GalaxyCommunication" service executable ("C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe") with a malicious one:
Now the attacker only needs to start the service and the malicious "C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe" will be executed as NT AUTHORITY\SYSTEM"
Personal Note: I really like DRM free games. I also really like GOG (I bought many games at GOG)! I can fully understand that GOG also needs a game client to keep up with steam, origin and so on. But I haven´t found so many vulnerabilities in only one software so far! I really hope that GOG will fix these issues and will provide patches soon. However my experience when reporting vulnerabilities is: Company/Vendor says "there is no vulnerability" or "We are aware of this and don´t see an issue here" or "We will provide a patch if necessary" or they just don´t reply. Also only a few companies have a bug bounty program and if you submit a bug you get "we are aware of this because somebody already reported it" but you will never see a fix for the vulnerability instead they provide new "features". We are living in a crazy world...