GOG Galaxy Games privileged helper denial-of-service vulnerability

Summary

An exploitable local denial-of-service vulnerability exists in the privileged helper tool of GOG Galaxy’s Games, version 1.2.47 for macOS. An attacker can send malicious data to the root-listening service, causing the application to terminate and become unavailable.

Tested Versions

Gog Galaxy 1.2.47 (macOS)

Product URLs

<https://www.gog.com/galaxy&gt;

CVSSv3 Score

6.2 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-19: Improper Input Validation

Details

GOG Galaxy is a platform that allows users to launch, update and manage video games. By default, GOG Galaxy installs a helper tool service with root privileges. This tool listens for connections and uses the provided protocol to dispatch functionality out.

Each function in the privileged helper expects a closure to be passed along for the reply. There is no checking the type or validity of the closure before using it. By passing in a null value, the program responds with the stack trace below.

* thread #19, queue = 'com.apple.NSXPCConnection.user.59330', stop reason = EXC_BAD_ACCESS (code=1, address=0x10)
    frame #0: 0x000000010bc5fca7 com.gog.galaxy.ClientService`-[ClientService createFolderAtPath:withReply:] + 279
com.gog.galaxy.ClientService`-[ClientService createFolderAtPath:withReply:]:
->  0x10bc5fca7 <+279>: call   qword ptr [r15 + 0x10]

It may be possible to send in an alternative type for the closure to gain code execution. However, as it is, there is a denial-of-service vulnerability, leading to a lack of availability of resources.

Timeline

2018-11-20 - Vendor Disclosure
2018-12-14 - Vendor Patched
2019-03-26 - Public Release