About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

GOG Galaxy Client Local Privilege Escalation- 179

Positron Security - JTestaPosted 5 Years Ago
  • The client itself runs as System, making it a prime target for exploitation. The service runs a server on localhost, that appeared to be used for updates.
  • The article goes into reversing the binary protocol used for the service, including verification of the commands (signing and such). He found out that the protocol used an HMAC (RSA with SHA-256) with a hardcoded RSA private key.
  • By signing the bytes properly (with the wanted command) it was possible to get the web server to execute arbitrary commands as system! With this, you essentially own the computer, simply because of a client service not being smart about permissions.
  • Morals of the story: attack things that run as high privileges, secrets are still secrets (even inside the binary) and reverse engineering can get you a long ways :)

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed