GOG Has Had a Severe Internal Vulnerability Problem for Nearly 2 Years; GOG: It’s a Very Complex Matter, but Works on the Fix Are Ongoing

Ule Lopez

GOG has a vulnerability exploit that has been seemingly ignored by the CD Projekt RED subsidiary ever since it was first sighted. The exploit was first archived as a vulnerability by the National Vulnerability Database (NVD) in August 2020. This vulnerability allows for local privilege escalation from any authenticated user to SYSTEM.

This exploit essentially allows users to inject DLLs into GOG's Galaxy client. Simply put, GOG can be used to escalate privileges. Thus, users can gain an administrative role in the system itself. This can essentially open the way for hackers to gain access to supply chain attacks on different systems.

Related StoryNathan Birch
GOG Black Friday Sale Includes The Witcher 3, A Plague Tale: Requiem, Many DRM-Free Favs

As the NVD Database entry puts it:

The client (aka GalaxyClientService.exe) in GOG GALAXY through 2.0.41 (as of 12:58 AM Eastern, 9/26/21) allows local privilege escalation from any authenticated user to SYSTEM by instructing the Windows service to execute arbitrary commands. This occurs because the attacker can inject a DLL into GalaxyClient.exe, defeating the TCP-based "trusted client" protection mechanism.

Needless to say, any user profile can give itself administrative privileges through GOG Galaxy and then gain access to every computer where the GOG Client is installed. The exploit was originally discovered by white hat hacker and Positron Security Founder Joseph Testa. However, that happened in January 2020.

GOG reacted by releasing an update that would fix this issue. However, it was found that this simply updated the signing key used for verifying messages. This key has been recovered and the proof-of-concept has been updated with it. So yes, the exploit still works, unmodified, and has been reported as a 0-day vulnerability in GOG's Galaxy client.

Joseph Testa posted a comprehensive analysis that detailed some of his conversations with GOG Support. This conversation started on June 4, 2020, and the entire thread can be read in the link above.

GOG.com Support replied with:

“I was informed that our Developers are working on fixing the issue, but executing the attack requires the machine to be already compromised.”

Because this sounded like GOG was not taking the issue seriously, I responded with:

“It is indeed true that an attacker must have low-privilege access to the machine already. But the problem is that this can be escalated into Administrator rights by abusing the GalaxyClientService software. […] Local privilege escalation (LPE) is a serious vulnerability.

GOG customers may install software/games from other untrusted sources without Administrator rights, which normally would protect them from full system compromise. Unfortunately, due to the vulnerabilities I’ve discovered in GalaxyClientService, all user accounts are effectively administrators.”

Shortly afterward, GOG told Joseph that their developers needed three months to create a solution. Of course, since the Advisory is currently online, that means that this fix wasn't provided after the 3-month time passed. In fact, as recently as September 2021, it's been confirmed that the GOG Galaxy 2.0 exploit continues to work.

In other words, any user who installs Galaxy 2.0 will run the risk of having an attacker gain administrator access. As the poster of the Reddit thread that discovered that the exploit still works puts it:

My major concern is people assume that, since it has been so long past the 3-month timeline the developers proposed for a fix, that it has been fixed. Hell, why would a development team not fix something like this in their software? Too bad this is not the case, and your system is still vulnerable if you have GOG Galaxy 2.0 installed.

When Wccftech reached out to GOG earlier this week for comment regarding this situation, they replied with the following statement:

We’re aware of the security issue in GOG GALAXY and we confirm that the works on the fix are ongoing. It turned out to be a very complex matter and require changes made to the design of the client itself. As always, we will inform users about the fix in the GOG GALAXY changelog once the patch is deployed. Furthermore, we want to reassure everyone that security topics are important to us and we take all of them seriously.

In its current form, the proof of concept exploit outlined by Joseph Testa only causes the Galaxy client to crash. As such, it can easily be inferred that this might be a temporary measure made by CDPR to prevent any attacks from happening while they work on solving this issue. Of course, this could also mean that the exploit no longer works with the outdated proof of concept and can be accessed by malicious attackers with a more refined process.

You can watch a comprehensive timeline of events that outlines the severity of the exploit below in the YouTube video linked below.

For now, it's best to be careful around the GOG Galaxy program, and it's heavily advised to keep an eye on what programs get installed through the service.

Deal of the Day