CVE-2018-4049 in Galaxy
Summary
by MITRE
An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy's ?Games? directory, version 1.2.48.36 (Windows 64-bit Installer). An attacker can overwrite executables of installed games to exploit this vulnerability and execute arbitrary code with elevated privileges.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/21/2023
The vulnerability identified as CVE-2018-4049 represents a critical local privilege escalation flaw within GOG Galaxy's file system permissions structure. This issue specifically affects version 1.2.48.36 of the Windows 64-bit installer, creating a dangerous condition where unauthorized code execution becomes possible through manipulation of the Games directory. The vulnerability stems from inadequate permission controls that allow standard user accounts to modify critical executable files within the application's installation structure. Attackers can exploit this weakness by replacing legitimate game executables with malicious payloads, effectively gaining elevated privileges during the execution process. The flaw demonstrates a fundamental failure in access control implementation where the application does not properly enforce security boundaries between user-level operations and system-level modifications.
The technical implementation of this vulnerability involves the manipulation of file system permissions within GOG Galaxy's Games directory structure. When the application runs with elevated privileges during installation or operation, it maintains overly permissive access controls that permit modification of executable files by non-privileged users. This design flaw creates a path where an attacker can substitute legitimate game binaries with crafted malicious executables. The replacement process occurs without proper verification mechanisms, allowing arbitrary code to be executed with the privileges of the GOG Galaxy process. This type of vulnerability is categorized under CWE-276 as improper file permissions, which directly enables unauthorized modification of critical system components. The attack vector leverages the principle of least privilege violation where the application unnecessarily grants write permissions to directories containing executables.
The operational impact of CVE-2018-4049 extends beyond simple privilege escalation to encompass potential system compromise and data integrity violations. An attacker who successfully exploits this vulnerability can execute arbitrary code with elevated privileges, potentially leading to complete system takeover or persistent backdoor installation. The attack requires local access to the target system but does not necessitate network connectivity, making it particularly dangerous in environments where physical access is possible. The vulnerability affects any user who has standard account privileges on a system running the affected GOG Galaxy version, creating widespread exposure across various deployment scenarios. This weakness can be exploited in conjunction with other attack techniques, potentially allowing adversaries to establish persistence or escalate privileges further within the compromised environment.
Mitigation strategies for this vulnerability require immediate patching of the affected GOG Galaxy installation to version 1.2.48.37 or later, which contains the necessary permission fixes. System administrators should conduct comprehensive inventory checks to identify all installations of the vulnerable version and ensure prompt remediation. The implementation of least privilege principles should be enforced where the Games directory permissions are restricted to prevent unauthorized modifications. Additionally, users should be educated about the risks of running applications with elevated privileges and the importance of keeping software updated. From an ATT&CK framework perspective, this vulnerability maps to T1068 as a local privilege escalation technique, and T1548.002 as an abuse of system permissions. Organizations should consider implementing application whitelisting controls and monitoring for unauthorized file modifications in system directories to detect potential exploitation attempts. Regular security assessments of third-party software installations should include verification of file system permissions and access control configurations to prevent similar vulnerabilities from being introduced.