An exploitable local denial-of-service vulnerability exists in the privileged helper tool of GOG Galaxy’s Games, version 1.2.47 for macOS. An attacker can send malicious data to the root-listening service, causing the application to terminate and become unavailable.
Gog Galaxy 1.2.47 (macOS)
6.2 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-19: Improper Input Validation
GOG Galaxy is a platform that allows users to launch, update and manage video games. By default, GOG Galaxy installs a helper tool service with root privileges. This tool listens for connections and uses the provided protocol to dispatch functionality out.
Each function in the privileged helper expects a closure to be passed along for the reply. There is no checking the type or validity of the closure before using it. By passing in a null value, the program responds with the stack trace below.
* thread #19, queue = 'com.apple.NSXPCConnection.user.59330', stop reason = EXC_BAD_ACCESS (code=1, address=0x10) frame #0: 0x000000010bc5fca7 com.gog.galaxy.ClientService`-[ClientService createFolderAtPath:withReply:] + 279 com.gog.galaxy.ClientService`-[ClientService createFolderAtPath:withReply:]: -> 0x10bc5fca7 <+279>: call qword ptr [r15 + 0x10]
It may be possible to send in an alternative type for the closure to gain code execution. However, as it is, there is a denial-of-service vulnerability, leading to a lack of availability of resources.
2018-11-20 - Vendor Disclosure
2018-12-14 - Vendor Patched
2019-03-26 - Public Release
Discovered by Tyler Bohan of Cisco Talos.