Steam vulnerability reportedly exposes Windows gamers to system hijacking

The researcher was asked not to disclose the bug but did so anyway.

How the latest gaming AI beat world champions of poker ZDNet's Tiernan Ray tells TechRepublic's Karen Roby that traditional theoretical math approaches break down in multi-person Texas Hold’em poker. Researchers from Carnegie Mellon and Facebook figured out smart search strategies to get around that problem. Read more: https://zd.net/2Y3DRbb

The Steam gaming platform reportedly contained a severe vulnerability which could subject users to privilege escalation attacks but was not considered in scope for Valve to fix. 

Valve's Steam caters for approximately 90 million users worldwide. The bug was found in the Windows client used to launch the platform. 

Researcher Vasily Kravets said the security flaw is rather a simple one. In a blog post describing his findings, Kravets said the Steam Client Service includes a setting which permits any user in the "User" group to start and stop the service, and while this in itself is not an issue, a further examination of registry operators revealed some "strange" findings. 

The client's "User" keys and subkeys inherit full read/write sets of permissions for the installation folder, and so by taking control of one key, it was possible to launch a privilege escalation attack and create an exploit "that allows running any program with the highest possible rights on any Windows computer with Steam installed."

The vulnerability was reported to Valve's Steam via the HackerOne bug bounty platform, together with a proof-of-concept (PoC) executable file, on June 15. 

See also: Valve to continue Steam gaming on Ubuntu Linux

However, the report was originally refused and considered not applicable for a reward, with the reason given that the attack would "require the ability to drop files in arbitrary locations on the user's filesystem."

Kravets contested the decision and the report was then acknowledged and sent to the Steam security team -- only for the research to be rejected once more for the original reason, together with the firm's belief that the attack also needed physical access to a user's device, on July 20. 

The researcher then told HackerOne that he planned to publicly disclose the vulnerability after a 45-day disclosure deadline. HackerOne told Kravets he was not permitted to do so -- despite the problem being considered out of scope -- but the researcher published his findings anyway. 

CNET: Google now offers no-password login -- if you have an Android phone

"So, two weeks after my message, which was sent on July 20, a person appears, who tells me that my report was marked as not applicable, they closed the discussion and wouldn't offer any explanation to me," Kravets said. "Moreover, they didn't want me to disclose the vulnerability. At the same time, there was not even a single word from Valve."

After the report was made public, the vulnerability case was reopened and a message was sent to Kravets containing the phrase, "Valve is not going to fix something that they have determined to be N/A [not applicable]."

However, Matt Nelson, another independent researcher, then disclosed the same vulnerability and posted a PoC on GitHub. By August 9, Steam Beta was updated with a fix for a "privilege escalation exploit using symbolic links in Windows Registry."

However, Kravets says this fix "could be bypassed."

TechRepublic: Famous con man Frank Abagnale: Crime is 4,000 times easier today

"It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges," the researcher added. "Are you sure that a free game made of garbage by an unknown developer will behave honestly? Do you believe that for a 90 percent discount you will not get a hidden miner? Of course, some of the threats will remain even being run without administrator rights."

Valve has not responded to requests for comment at this time. HackerOne told ThreatPost that the researcher's claims are being investigated but were not willing to comment further.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0