![]() ![]() The rollback functionality isn’t the only new feature in the update. Thanks to everyone involved (post will be updated with names once we know they are ok being named).The next version of Windows 10 might let you play Xbox One games on your PC – Vender releases 2.0.37, fixing the vulnerability – CD Projekt Red is hacked and held for ransom (only including this, because GOG might fall under them, or vice versa, so resources could be distracted from this) – Google waiting period begins - 90 days (April 26, 2021 from this date) – Vendor closed initial support ticket, opens JIRA and recommends we “follow Google Responsible Disclosure rules” – Vendor forwarded on to their security team This was a learning opportunity for us, but wasn’t as bad as initially thought. ![]() Now we needed to report the vulnerability to GOG and submit for a CVE, which we have never done before. But that doesn’t mean that this vulnerability should be ignored, as other processes could exploit this to hide their malicious code and run as the logged on user (we were thinking ransomware primarily as the risk). At this time, we could not find a way to elevate, above the current user. We dug around, and tried to get the GOG Galaxy client to update and trigger our DLL, but we had no luck. Additionally, the popup displayed the same information: We dropped the DLL into the above path, and boom! The file C:\temp\whoami.txt was created, with username, process path, and PID. As our coding knowledge only included scripting languages, we reached out to some colleagues (again), and they assisted us with the creation of the DLL. This was necessary, because there was no way to manually kick off a check for updates of their software, and we couldn’t find a cadence of when or how it happened. The update service runs as SYSTEM level permissions. Our requirements for this DLL was to make it flexible (for other vulnerability research), but mainly to see if the update mechanism of the GOG Galaxy client would run the code in our DLL. Additionally, we wanted a popup, with the same information, for visual confirmation. We wanted to write out to a file, the process and the account that was running it. After doing some searching (mainly on GitHub), we couldn’t find one that fit our needs. Nice, we have a DLL path that a standard user can write to: C:\Users\(username)\AppData\Local\Microsoft\WindowsApps\ZLIB1.dllįrom here, we knew we needed a DLL to place in this directory. Adding additional filters, we ended up with ![]() But most paths were places only administrators had access to. This was returned around 113 events on startup of the GOG client. After doing some research, we came to the conclusion that Process Monitor, with some filters applied, would likely be the best avenue for investigation. We suspected there to be a vulnerability here, but were not sure or if it was exploitable.Īfter reaching out to colleagues, they believed this could be a DLL Load Order Hijacking vulnerability. It was even installed on a completely different drive. To us this was very odd, GOG of course has no relationship with the FAH software. When trying to manually delete the files, the below warning prompted that they were in use by the GOG Galaxy client application. This vulnerability came about when we tried to uninstall the Folding at Home Client, but its folder and some DLLs remained. The vendor has patched the vulnerability and released version 2.0.37, as of March 30, 2021. The GOG Galaxy version 2.0.35 was vulnerable to a DLL Load Order Hijacking vulnerability. Authors: Brian Papile and Jeff Stokes Executive summary ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |