With my researches, described on my other post Hunting for LPEs in Gaming Software. I was curious about GOG services which run as Local System. I installed GOG on a „fresh“ Windows 11 and Windows 10 system and focused again to the Service „GalaxCommunication“. As we can see the Service is still running with SYSTEM privileges. tested GOG Versions: 2.0.46 from Februar, 16th 2022 (found exploit) – 2.0.51 from June, 2022 (still exploitable)
I figured out, that the access to the „C:\ProgramData\GOG.com\Galaxy\redists“ folder is restricted, so a normal user cant write to this location.
But interesting is the fact, that the user who has installed GOG still have full (owner) permissions to the parent folders „Galaxy“ and „GOG.com“. Of course for the installation of GOG you need elevated permissions, but the folder permissions doesn’t belog to that elevated user, they belong to the current user, elevated or not.
As example: I have the user „testuser“ who has no administrativ permissions and the user „admin“ who belongs to the local administrators. When you install GOG as the testuser you need to provide the password from an administrator like the user admin. That is ok and intended but as mentioned before, after the installation our testuser is the owner of the Galaxy and GOG.com folders.
But why is this a problem? Well, first I thought, as owner from a folder I should be able to overwrite the subfolders with my own permissions, but this is not possible. As soon you will try this, you will receive the following error message for folders and files were you don`t have permissions to
Bypass the Restriction
But what we can do is to rename the hole parent folder, and what we also can do is to create a new folder with the same name and a subfolder redists in it. And now we are able to write to „C:\ProgramData\GOG.com\Galaxy\redists“!
So the exploit steps are fairly easy
- Rename „C:\ProgramData\GOG.com\Galaxy“ to „C:\ProgramData\GOG.com\Galaxy_orig“
- Create a new folder „C:\ProgramData\GOG.com\Galaxy“
- Create a new folder „C:\ProgramData\GOG.com\Galaxy\redists“
- Store your payload as „C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe“
- Start the service
The service start will fail but your payload will be executed as system
The final exploit can be found here: https://github.com/secure-77/CVE-2022-31262
I created a simple PowerShell script which handles the copy and restore process and a c++ executable that spawns a system shell to the current user session.
- Reported to GOG Support on 09.04.2022
- Get confirmation about the finding from GOG on 19.05.2022
- Requested CVE-2022-31262 on 22.05.2022
- Asked about any fix or informaiton on 18.07.2022
- No further information or fix was provided by vendor
- Latest Version 2.0.51 is still vulnerable on 11.08.2022
- Published the POC and CVE-2022-31262 on 11.08.2022