CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
20.2%
An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy’s Temp
directory. An attacker can overwrite executables of the Desktop Galaxy Updater to exploit this vulnerability and execute arbitrary code with SYSTEM privileges.
Gog Galaxy 1.2.48.36 (Windows 64-bit Installer)
<https://www.gog.com/galaxy>
9.3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-276: Incorrect Default Permissions
GOG Galaxy is a platform that allows users to launch, update and manage video games. By default, GOG Galaxy extracts the executables for the automatic update function in a directory that allows anyone on the system to have “full control.” This allows all users to read, write or modify arbitrary files related to the GOG Galaxy Updater Service. The executables include sensitive data, such as a root CA, as well as executables that will be run with SYSTEM privileges once they are installed, allowing an attacker to overwrite them prior to installation to achieve arbitrary code execution with SYSTEM privileges.
Successfully processed 1 files; Failed processing 0 files
C:>dir “C:\ProgramData\GOG.com\Galaxy\temp\desktop-galaxy-updater” Volume in drive C has no label. Volume Serial Number is DEC6-C1D3
Directory of C:\ProgramData\GOG.com\Galaxy\temp\desktop-galaxy-updater
11/09/2018 03:10 PM
. 11/09/2018 03:10 PM .. 11/06/2018 12:11 PM 152,648 expat.dll 11/06/2018 12:11 PM 1,487,944 GalaxyUpdater.exe 11/06/2018 12:11 PM 1,273,416 libeay32.dll 11/06/2018 12:11 PM 426,568 pcre.dll 11/06/2018 12:11 PM 157,256 PocoCrypto.dll 11/06/2018 12:11 PM 1,856,072 PocoData.dll 11/06/2018 12:11 PM 387,656 PocoDataSQLite.dll 11/06/2018 12:11 PM 1,656,392 PocoFoundation.dll 11/06/2018 12:11 PM 327,752 PocoJSON.dll 11/06/2018 12:11 PM 1,071,176 PocoNet.dll 11/06/2018 12:11 PM 306,248 PocoNetSSL.dll 11/06/2018 12:11 PM 503,368 PocoUtil.dll 11/06/2018 12:11 PM 513,608 PocoXml.dll 11/06/2018 12:11 PM 270,920 PocoZip.dll 11/06/2018 12:11 PM 4,635,720 Qt5Core.dll 11/06/2018 12:11 PM 250,607 rootCA.pem 11/06/2018 12:11 PM 681,032 sqlite.dll 11/06/2018 12:11 PM 282,696 ssleay32.dll 11/09/2018 03:10 PM web 11/06/2018 12:11 PM 107,592 zlib.dll 19 File(s) 16,348,671 bytes
### Mitigation
Users of GOG Galaxy can replace the “Full Control” permission with “Read and Execute” for the “Everyone” group in the GOG Galaxy “Temp” directory and ensure all file system objects below that path inherit from the parent directory.
### Timeline
2018-11-20 - Vendor Disclosure
2019-03-14 - Vendor Patched
2019-03-26 - Public Release
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
20.2%