An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy’s Games, version 1.2.47 for macOS. An attacker can globally adjust folder permissions leading to execution of arbitrary code with elevated privileges.
Gog Galaxy 1.2.47 (macOS)
7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE-19: Improper Input Validation
GOG Galaxy is a platform that allows users to launch, update and manage video games. By default, GOG Galaxy installs a helper tool service with root privileges. This tool listens for connections and uses the provided protocol to dispatch functionality out.
The vulnerability arises in the
changeFolderPermissionsAtPath. This function takes a path as its first argument and changes the permissions of the folder and all files located there to be globally readable writeable and executable. This could allow an attacker to change privileged folders on the file system crossing a privilege boundary and creating an exploitable situation.
2018-11-20 - Vendor Disclosure
2018-12-14 - Vendor Patched
2019-03-26 - Public Release
Discovered by Tyler Bohan of Cisco Talos.