UPDATE
A researcher has dropped a zero-day vulnerability that affects the Steam game client for Windows, after Valve said it wouldn’t fix it. Valve then published a patch, that the same researcher said can be bypassed.
The bug is a privilege-escalation vulnerability that can allow an attacker to level up and run any program with the highest possible rights on any Windows computer with Steam installed, according to independent researcher Vasily Kravets (a.k.a. Felix).
Given that Steam says that it has more than a billion registered users worldwide (and 90 million active users, who sign up to play games like Assassin’s Creed, Grand Theft Auto V and Warhammer), the attack surface is potentially massive. Yet Steam’s owner, Valve, determined that the flaw was “not applicable” after Kravets submitted it via the HackerOne bug-bounty platform.
Bug Details
The vulnerability exists in the Steam Client Service, which runs on Windows computers with system privileges. The researcher found that it’s possible to use symbolic links (i.e., symlinks, which act as shortcuts between one file or directory to another) to cause the computer to launch a service or executable with full privileges.
First, Kravets discovered that the Steam service can be started and stopped by anyone using the computer (i.e., those with “user” privileges) – and when that happens, the user is given a list of the subkeys under the “HKLM\Software\Wow6432Node\Valve\Steam\Apps” main registry key.
“Here I found that HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit ‘full control’ for ‘users’ group, and these permissions inherit for all subkeys and their subkeys,” Kravets explained in a recent writeup. He then wanted to see if it’s possible to take control of a subkey under HKLM\Software\Wow6432Node\Valve\Steam\Apps that offers limited permissions, use a symlink to point to a secure registry key with full permissions, then restart the service to gain access to the secure registry key.
“I created a link from HKLM\SOFTWARE\Wow6432Node\Valve\Steam\Apps\test to HKLM\SOFTWARE\test2 and restarted the service,” he said – and he found that this indeed returns full read/write access to the key for all users.
“So, now we have a primitive to take control on almost every key in the registry, and it is easy to convert it into a complete escalation of privileges,” he explained. “I choose key HKLM\SYSTEM\ControlSet001\Services\msiserver that corresponds with the service Windows Installer.”
Using the same process, he found that he was able to run Windows Installer with administrative privileges and install code. Thus, the picture that emerges is an exploit vector that allows running any executable with the highest possible rights on any Windows computer with Steam installed.
“After taking control, it is only necessary to change ImagePath value of the HKLM\SYSTEM\ControlSet001\Services\msiserver key and start ‘Windows Installer’ service. The program from ImagePath will be started as NT AUTHORITY\SYSTEM,” Kravets explained.
Another independent researcher, Matt Nelson (a.k.a. enigma0x3), developed a proof-of-concept (PoC) for the flaw that he published on Github. It shows how to use the bug to launch a Windows command prompt with administrative privileges.
HackerOne and Valve
Kravets submitted a bug report on June 15, which was rejected on June 16 because the bug enables “attacks that require the ability to drop files in arbitrary locations on the user’s filesystem.” After disputing this, the report was reopened – and then closed again on July 20 for the same reason, along with a note that “attacks…require physical access to the user’s device.”
Though HackerOne told Kravets that he was not allowed to publicly release the bug details, he did anyway 45 days after the initial disclosure. Since then, the HackerOne report was reopened, and Steam has updated the client to address a “privilege escalation exploit using symbolic links in Windows registry.” However, Kravets said that another researcher showed the fix could be bypassed.
“Where is my popcorn?” he said.
I found a way to bypass the fix. The bypass requires dropping a file in a nonadmin-writable location, so I think it's out-of-scope for Valve. Write-up: https://t.co/Lalum8LTvY cc @PsiDragon @enigma0x3 @steam_games #infosec #steam #bugbounty https://t.co/qIylEG7u2L
— Xiaoyin Liu (@general_nfs) August 15, 2019
As for Valve’s downplaying of the severity of the bug, Kravets said that software could be written to take advantage of the issue, which would vastly expand the flaw’s danger. “In fact, Steam allows to grant high privileges for every program you run,” he said.
He added, “It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges. Are you sure that a free game made of garbage by an unknown developer will behave honestly? Do you believe that for a 90 percent discount you will not get a hidden miner?…The high rights of malicious programs can significantly increase risks — programs could disable antivirus, use deep and dark places to hide and change almost any file of any user, even steal private data.”
Speaking to Threatpost, Kravets noted, “the vulnerability requires local access, not physical. Any program you run on your computer has local access. So, yes – any malicious program could take over your computer via Steam.”
Further, the bug can be chained with a remote code-execution (RCE) flaw.
“Any RCE vulnerability can be combined with the one I described,” he said. “Attacker gets local access by RCE, than gain SYSTEM privileges by elevation of privilege. Fully compromised computer in two steps.”
He added: “A very interesting attack vector is online games. Any remote code-execution in the game and Steam [will] provide SYSTEM privileges. By the way, Counter Strike (by Valve) had an RCE some time ago.”
Valve did not immediately return a request for comment on this story. HackerOne said that it was looking into Kravets’ claims, but that it didn’t have a comment at this time.
This story was updated Aug. 16 at 11:40 a.m. EDT to include exploit information from Kravets as well as more information on the patch bypass.