Researchers Exploited GOG Galaxy XPC for Privilege Escalation in macOS

A critical privilege escalation vulnerability has been discovered to affect macOS devices, particularly the GOG Galaxy software-installed machines. The CVE for this vulnerability has been assigned as CVE-2023-40713, and the severity rating has been given as 7.8 (High).

GOG Galaxy is a software designed to organize games across different platforms as a single beautiful library. The vulnerability also involves the XPC service and the connection validation of the GOG Galaxy software.

CVE-2023-40713: Technical Analysis

During the GOG Galaxy installation, it creates a new file in the /Library/LaunchDaemons directory with the name com.galaxy.ClientService.plist that results in the creation of Launch Daemon, a background process that runs with high privileges.

Furthermore, the XPC service was also involved with the PLIST file. This XPC service is highly used in macOS devices, allowing helper tools to perform certain tasks for an application.

Most of the applications use this XPC service to call and perform actions on behalf of the service. These applications also verify the client application and allow only specific applications to call exposed methods.

PID Reuse

The vulnerability was based on a race condition in which the exploit sends several messages to the XPC service and executes the posix_spawn with the binary that completes the security requirement to replace the malicious binary PID.

Moreover, the time between the message processing and process validation allows the exploit to replace the exploit PID with a real application that validates the connection.

To exploit this vulnerability, a threat actor will need to follow the below steps,

• Connect to XPC through forked processes
• Replace the Child processes with the legitimate binary
• Call the changeFolderPermissionsAtPath method by modifying the permissions of the /etc/pam.d/login file
• Replace the login file with one that allows authentication without a password
• Finally, Escalate to root by running sudo su.

Security Intelligence has published a complete report about this vulnerability, which provides detailed information, including the exploitation steps, source code, and other information.