CVE-2022-31262 in Galaxy
Summary
by MITRE • 08/17/2022
An exploitable local privilege escalation vulnerability exists in GOG Galaxy 2.0.46. Due to insufficient folder permissions, an attacker can hijack the %ProgramData%\GOG.com folder structure and change the GalaxyCommunication service executable to a malicious file, resulting in code execution as SYSTEM.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/17/2022
The vulnerability identified as CVE-2022-31262 represents a critical local privilege escalation flaw within GOG Galaxy 2.0.46 that allows attackers to execute arbitrary code with SYSTEM privileges. This issue stems from inadequate permission controls on the %ProgramData%\GOG.com directory structure, creating a persistent attack surface that can be exploited by malicious actors with local user access. The vulnerability specifically targets the GalaxyCommunication service executable, which runs with elevated privileges, making it a prime target for privilege escalation attacks. The flaw operates by allowing an unprivileged user to manipulate the service's executable file through directory hijacking techniques, effectively compromising the entire system through a single vulnerable component.
From a technical perspective, this vulnerability manifests as a classic privilege escalation through service binary replacement attack vector. The insufficient folder permissions on the ProgramData directory structure enable attackers to modify the service executable file, which is loaded and executed by the Windows service manager with SYSTEM privileges. The vulnerability aligns with CWE-276, which describes inadequate privileges or permissions that allow unauthorized access to system resources. The attack chain begins with a local user gaining access to the system, followed by manipulation of the %ProgramData%\GOG.com folder structure, and culminates in execution of malicious code with elevated privileges. This represents a significant security weakness in the application's installation and service management architecture, where proper access controls and privilege separation are not adequately enforced.
The operational impact of this vulnerability is severe and far-reaching, as it provides attackers with complete system compromise capabilities through a single local privilege escalation exploit. Once successfully exploited, the attacker gains SYSTEM-level access, enabling them to perform any action on the compromised system including installing additional malware, modifying system files, accessing sensitive data, and establishing persistent backdoors. The attack requires minimal privileges initially, making it particularly dangerous as it can be exploited by any local user with basic system access. The vulnerability affects systems running GOG Galaxy 2.0.46 and potentially earlier versions, creating a widespread attack surface across gaming platforms and potentially other applications that may utilize similar installation patterns. The service-based nature of the exploit also means that the attack can be persistent and difficult to detect through standard security monitoring.
Mitigation strategies for CVE-2022-31262 should focus on implementing proper access controls and privilege separation mechanisms. System administrators should immediately update to the latest version of GOG Galaxy where this vulnerability has been patched, as the vendor has addressed the insufficient folder permissions issue. Additionally, implementing proper file and directory permissions using Windows access control lists can help prevent unauthorized modifications to service executables. The principle of least privilege should be enforced by ensuring that service executables are not writable by non-privileged users. Network segmentation and monitoring should be implemented to detect suspicious file modification activities in system directories. Security controls should include regular auditing of service configurations and monitoring for unauthorized changes to critical system executables. Organizations should also consider implementing application whitelisting policies to prevent execution of unauthorized binaries, which aligns with ATT&CK technique T1543.003 for creating or modifying system level execution mechanisms. The vulnerability demonstrates the importance of proper privilege management and access control implementation in software installation and service management processes, particularly when dealing with applications that require elevated privileges for operation.