cnvd - cnvd-2021-25692

cnvd-2021-25692

Vulnerability from cnvd

Title: GOG Galaxy权限许可和访问控制问题漏洞（CNVD-2021-25692）

Description:

GOG Galaxy是波兰GOG公司的一款游戏客户端程序。该程序用于安装、启动和更新游戏。

GOG Galaxy 1.2.62之前的1.2.x版本和2.0.12之前的2.0.x版本中存在权限许可和访问控制问题漏洞。攻击者可通过向GOG GalaxyClientService发送任意file_paths利用该漏洞提升权限。

Severity: 高

Patch Name: GOG Galaxy权限许可和访问控制问题漏洞（CNVD-2021-25692）的补丁

Patch Description:

GOG Galaxy是波兰GOG公司的一款游戏客户端程序。该程序用于安装、启动和更新游戏。

GOG Galaxy 1.2.62之前的1.2.x版本和2.0.12之前的2.0.x版本中存在权限许可和访问控制问题漏洞。攻击者可通过向GOG GalaxyClientService发送任意file_paths利用该漏洞提升权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商发布了该软件2.0.x版本的修复措施，该软件1.2.x版本的修复措施暂未发布，详情请参考链接： https://www.gog.com/

Reference: https://packetstormsecurity.com/files/158085/GOG-GalaxyClientService-Privilege-Escalation.html

Impacted products

Name
['GOG Galaxy >=1.2.0，<=1.2.64', 'GOG Galaxy >=2.0.0，<=2.0.12']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-7352"
    }
  },
  "description": "GOG Galaxy\u662f\u6ce2\u5170GOG\u516c\u53f8\u7684\u4e00\u6b3e\u6e38\u620f\u5ba2\u6237\u7aef\u7a0b\u5e8f\u3002\u8be5\u7a0b\u5e8f\u7528\u4e8e\u5b89\u88c5\u3001\u542f\u52a8\u548c\u66f4\u65b0\u6e38\u620f\u3002 \n\nGOG Galaxy 1.2.62\u4e4b\u524d\u76841.2.x\u7248\u672c\u548c2.0.12\u4e4b\u524d\u76842.0.x\u7248\u672c\u4e2d\u5b58\u5728\u6743\u9650\u8bb8\u53ef\u548c\u8bbf\u95ee\u63a7\u5236\u95ee\u9898\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411GOG GalaxyClientService\u53d1\u9001\u4efb\u610ffile_paths\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u53d1\u5e03\u4e86\u8be5\u8f6f\u4ef62.0.x\u7248\u672c\u7684\u4fee\u590d\u63aa\u65bd\uff0c\u8be5\u8f6f\u4ef61.2.x\u7248\u672c\u7684\u4fee\u590d\u63aa\u65bd\u6682\u672a\u53d1\u5e03\uff0c\u8be6\u60c5\u8bf7\u53c2\u8003\u94fe\u63a5\uff1a\r\nhttps://www.gog.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-25692",
  "openTime": "2021-04-08",
  "patchDescription": "GOG Galaxy\u662f\u6ce2\u5170GOG\u516c\u53f8\u7684\u4e00\u6b3e\u6e38\u620f\u5ba2\u6237\u7aef\u7a0b\u5e8f\u3002\u8be5\u7a0b\u5e8f\u7528\u4e8e\u5b89\u88c5\u3001\u542f\u52a8\u548c\u66f4\u65b0\u6e38\u620f\u3002 \r\n\r\nGOG Galaxy 1.2.62\u4e4b\u524d\u76841.2.x\u7248\u672c\u548c2.0.12\u4e4b\u524d\u76842.0.x\u7248\u672c\u4e2d\u5b58\u5728\u6743\u9650\u8bb8\u53ef\u548c\u8bbf\u95ee\u63a7\u5236\u95ee\u9898\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411GOG GalaxyClientService\u53d1\u9001\u4efb\u610ffile_paths\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "GOG Galaxy\u6743\u9650\u8bb8\u53ef\u548c\u8bbf\u95ee\u63a7\u5236\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2021-25692\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "GOG Galaxy \u003e=1.2.0\uff0c\u003c=1.2.64",
      "GOG Galaxy \u003e=2.0.0\uff0c\u003c=2.0.12"
    ]
  },
  "referenceLink": "https://packetstormsecurity.com/files/158085/GOG-GalaxyClientService-Privilege-Escalation.html",
  "serverity": "\u9ad8",
  "submitTime": "2020-06-17",
  "title": "GOG Galaxy\u6743\u9650\u8bb8\u53ef\u548c\u8bbf\u95ee\u63a7\u5236\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2021-25692\uff09"
}

CVE-2020-7352 (GCVE-0-2020-7352)

Vulnerability from cvelistv5

Published

2020-08-06 15:45

Modified

2024-09-16 17:48

Severity ?

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-264 - Permissions, Privileges, and Access Controls

Summary

The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerability. This issue affects the 2.0.x branch of the software (2.0.12 and earlier) as well as the 1.2.x branch (1.2.64 and earlier). A fix was issued for the 2.0.x branch of the affected software.

References

▼	URL	Tags
	https://github.com/rapid7/metasploit-framework/pull/13444	x_refsource_MISC
	https://www.positronsecurity.com/blog/2020-04-28-gog-galaxy-client-local-privilege-escalation/	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	GOG	GOG GalaxyClientService	Version: 2.0.12 < Version: 1.2.64 <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:25:49.092Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rapid7/metasploit-framework/pull/13444"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.positronsecurity.com/blog/2020-04-28-gog-galaxy-client-local-privilege-escalation/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GOG GalaxyClientService",
          "vendor": "GOG",
          "versions": [
            {
              "lessThanOrEqual": "2.0.12",
              "status": "affected",
              "version": "2.0.12",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "1.2.64",
              "status": "affected",
              "version": "1.2.64",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered and reported to Rapid7 by Joe Testa via the Metasploit Framework."
        }
      ],
      "datePublic": "2020-04-28T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerability. This issue affects the 2.0.x branch of the software (2.0.12 and earlier) as well as the 1.2.x branch (1.2.64 and earlier). A fix was issued for the 2.0.x branch of the affected software."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-264",
              "description": "CWE-264 Permissions, Privileges, and Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-08-06T15:45:27",
        "orgId": "9974b330-7714-4307-a722-5648477acda7",
        "shortName": "rapid7"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rapid7/metasploit-framework/pull/13444"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.positronsecurity.com/blog/2020-04-28-gog-galaxy-client-local-privilege-escalation/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue was resolved in version 2.0.13 of the affected software."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "GOG Galaxy GalaxyClientService Privilege Escalation",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@rapid7.com",
          "DATE_PUBLIC": "2020-04-28T10:00:00.000Z",
          "ID": "CVE-2020-7352",
          "STATE": "PUBLIC",
          "TITLE": "GOG Galaxy GalaxyClientService Privilege Escalation"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GOG GalaxyClientService",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2.0.12",
                            "version_value": "2.0.12"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "1.2.64",
                            "version_value": "1.2.64"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "GOG"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "This issue was discovered and reported to Rapid7 by Joe Testa via the Metasploit Framework."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerability. This issue affects the 2.0.x branch of the software (2.0.12 and earlier) as well as the 1.2.x branch (1.2.64 and earlier). A fix was issued for the 2.0.x branch of the affected software."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-264 Permissions, Privileges, and Access Controls"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/rapid7/metasploit-framework/pull/13444",
              "refsource": "MISC",
              "url": "https://github.com/rapid7/metasploit-framework/pull/13444"
            },
            {
              "name": "https://www.positronsecurity.com/blog/2020-04-28-gog-galaxy-client-local-privilege-escalation/",
              "refsource": "MISC",
              "url": "https://www.positronsecurity.com/blog/2020-04-28-gog-galaxy-client-local-privilege-escalation/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "This issue was resolved in version 2.0.13 of the affected software."
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
    "assignerShortName": "rapid7",
    "cveId": "CVE-2020-7352",
    "datePublished": "2020-08-06T15:45:27.543775Z",
    "dateReserved": "2020-01-21T00:00:00",
    "dateUpdated": "2024-09-16T17:48:55.879Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted