GOG Galaxy XPC Service exploited

A critical privilege escalation vulnerability has been discovered to affect macOS devices, particularly the GOG Galaxy software-installed machines. The CVE for this vulnerability has been assigned as CVE-2023-40713, and the severity rating has been given as 7.8 (High).

GOG Galaxy is a software designed to organize games across different platforms as a single beautiful library. The vulnerability also involves the XPC service and the connection validation of the GOG Galaxy software.

EHA

CVE-2023-40713: Technical Analysis

During the GOG Galaxy installation, it creates a new file in the /Library/LaunchDaemons directory with the name com.galaxy.ClientService.plist that results in the creation of Launch Daemon, a background process that runs with high privileges.

Furthermore, the XPC service was also involved with the PLIST file. This XPC service is highly used in macOS devices, allowing helper tools to perform certain tasks for an application.

Most of the applications use this XPC service to call and perform actions on behalf of the service. These applications also verify the client application and allow only specific applications to call exposed methods.

PID Reuse

The vulnerability was based on a race condition in which the exploit sends several messages to the XPC service and executes the posix_spawn with the binary that completes the security requirement to replace the malicious binary PID.

Moreover, the time between the message processing and process validation allows the exploit to replace the exploit PID with a real application that validates the connection.

To exploit this vulnerability, a threat actor will need to follow the below steps,

  • Connect to XPC through forked processes
  • Replace the Child processes with the legitimate binary
  • Call the changeFolderPermissionsAtPath method by modifying the permissions of the /etc/pam.d/login file
  • Replace the login file with one that allows authentication without a password
  • Finally, Escalate to root by running sudo su.

Security Intelligence has published a complete report about this vulnerability, which provides detailed information, including the exploitation steps, source code, and other information.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.