CVE-2020-27384
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in the Guild Wars 2 game launcher where an authenticated user can replace the executable with malicious code due to overly permissive file permissions. The vulnerability affects users running the vulnerable version of the launcher on Windows systems. Attackers with local access can exploit this to gain elevated privileges.
💻 Affected Systems
- Guild Wars 2 game launcher
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access replaces Gw2-64.exe with malicious code that runs with elevated privileges, potentially leading to full system compromise, data theft, or ransomware deployment.
Likely Case
Malicious users or malware with local access escalate privileges to install persistent backdoors, steal credentials, or bypass security controls.
If Mitigated
With proper file permissions, only authorized users can modify executables, preventing privilege escalation through this vector.
🎯 Exploit Status
Exploitation requires authenticated local access but is straightforward - simply replacing the executable file with malicious code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 106916
Vendor Advisory: https://www.guildwars2.com/en/
Restart Required: Yes
Instructions:
1. Update Guild Wars 2 to the latest version through the official launcher. 2. Ensure the game directory permissions are properly restricted after update.
🔧 Temporary Workarounds
Restrict Directory Permissions
windowsManually adjust file permissions on the Guild Wars 2 installation directory to remove 'Full Control' for the 'Everyone' group.
icacls "C:\Program Files\Guild Wars 2" /remove:g "Everyone" /T
🧯 If You Can't Patch
- Remove 'Full Control' permissions for 'Everyone' group from the Guild Wars 2 installation directory and subdirectories
- Restrict access to the game directory to only necessary users and administrators
🔍 How to Verify
Check if Vulnerable:
Check file permissions on the Guild Wars 2 installation directory: Right-click directory → Properties → Security tab → Verify 'Everyone' group does not have 'Full Control' permission.Check Version:
Check the launcher version in the game's About section or examine the executable properties.Verify Fix Applied:
Verify the 'Everyone' group no longer has 'Full Control' permissions on the Guild Wars 2 directory and that the game version is newer than 106916.📡 Detection & Monitoring
Log Indicators:
- Windows Security logs showing unauthorized file modifications to Gw2-64.exe
- Antivirus alerts for suspicious modifications to game executables
Network Indicators:
- Unusual outbound connections from the game executable to unexpected destinations
SIEM Query:
EventID=4663 AND ObjectName LIKE '%Gw2-64.exe%' AND Accesses LIKE '%WRITE_DAC%' OR Accesses LIKE '%WRITE_OWNER%'