Gamers Beware: Zero-Day in Steam Client Affects All Windows Users

An elevation-of-privilege bug allows attackers to run any program on a target machine with high privileges.

UPDATE

A researcher has dropped a zero-day vulnerability that affects the Steam game client for Windows, after Valve said it wouldn’t fix it. Valve then published a patch, that the same researcher said can be bypassed.

The bug is a privilege-escalation vulnerability that can allow an attacker to level up and run any program with the highest possible rights on any Windows computer with Steam installed, according to independent researcher Vasily Kravets (a.k.a. Felix).

Given that Steam says that it has more than a billion registered users worldwide (and 90 million active users, who sign up to play games like Assassin’s Creed, Grand Theft Auto V and Warhammer), the attack surface is potentially massive. Yet Steam’s owner, Valve, determined that the flaw was “not applicable” after Kravets submitted it via the HackerOne bug-bounty platform.

The vulnerability exists in the Steam Client Service, which runs on Windows computers with system privileges. The researcher found that it’s possible to use symbolic links (i.e., symlinks, which act as shortcuts between one file or directory to another) to cause the computer to launch a service or executable with full privileges.

First, Kravets discovered that the Steam service can be started and stopped by anyone using the computer (i.e., those with “user” privileges) – and when that happens, the user is given a list of the subkeys under the “HKLM\Software\Wow6432Node\Valve\Steam\Apps” main registry key.

“Here I found that HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit ‘full control’ for ‘users’ group, and these permissions inherit for all subkeys and their subkeys,” Kravets explained in a recent writeup. He then wanted to see if it’s possible to take control of a subkey under HKLM\Software\Wow6432Node\Valve\Steam\Apps that offers limited permissions, use a symlink to point to a secure registry key with full permissions, then restart the service to gain access to the secure registry key.

“I created a link from HKLM\SOFTWARE\Wow6432Node\Valve\Steam\Apps\test to HKLM\SOFTWARE\test2 and restarted the service,” he said – and he found that this indeed returns full read/write access to the key for all users.

“So, now we have a primitive to take control on almost every key in the registry, and it is easy to convert it into a complete escalation of privileges,” he explained. “I choose key HKLM\SYSTEM\ControlSet001\Services\msiserver that corresponds with the service Windows Installer.”

Using the same process, he found that he was able to run Windows Installer with administrative privileges and install code. Thus, the picture that emerges is an exploit vector that allows running any executable with the highest possible rights on any Windows computer with Steam installed.

“After taking control, it is only necessary to change ImagePath value of the HKLM\SYSTEM\ControlSet001\Services\msiserver key and start ‘Windows Installer’ service. The program from ImagePath will be started as NT AUTHORITY\SYSTEM,” Kravets explained.

Another independent researcher, Matt Nelson (a.k.a. enigma0x3), developed a proof-of-concept (PoC) for the flaw that he published on Github. It shows how to use the bug to launch a Windows command prompt with administrative privileges.

Kravets submitted a bug report on June 15, which was rejected on June 16 because the bug enables “attacks that require the ability to drop files in arbitrary locations on the user’s filesystem.” After disputing this, the report was reopened – and then closed again on July 20 for the same reason, along with a note that “attacks…require physical access to the user’s device.”

Though HackerOne told Kravets that he was not allowed to publicly release the bug details, he did anyway 45 days after the initial disclosure. Since then, the HackerOne report was reopened, and Steam has updated the client to address a “privilege escalation exploit using symbolic links in Windows registry.” However, Kravets said that another researcher showed the fix could be bypassed.

“Where is my popcorn?” he said.

As for Valve’s downplaying of the severity of the bug, Kravets said that software could be written to take advantage of the issue, which would vastly expand the flaw’s danger. “In fact, Steam allows to grant high privileges for every program you run,” he said.

He added, “It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges. Are you sure that a free game made of garbage by an unknown developer will behave honestly? Do you believe that for a 90 percent discount you will not get a hidden miner?…The high rights of malicious programs can significantly increase risks — programs could disable antivirus, use deep and dark places to hide and change almost any file of any user, even steal private data.”

Speaking to Threatpost, Kravets noted, “the vulnerability requires local access, not physical. Any program you run on your computer has local access. So, yes – any malicious program could take over your computer via Steam.”

Further, the bug can be chained with a remote code-execution (RCE) flaw.

“Any RCE vulnerability can be combined with the one I described,” he said. “Attacker gets local access by RCE, than gain SYSTEM privileges by elevation of privilege. Fully compromised computer in two steps.”

He added: “A very interesting attack vector is online games. Any remote code-execution in the game and Steam [will] provide SYSTEM privileges. By the way, Counter Strike (by Valve) had an RCE some time ago.”

Valve did not immediately return a request for comment on this story. HackerOne said that it was looking into Kravets’ claims, but that it didn’t have a comment at this time.

This story was updated Aug. 16 at 11:40 a.m. EDT to include exploit information from Kravets as well as more information on the patch bypass.

 

Suggested articles

Discussion

  • JoeB on

    Not sure you know what zero-day means. Your super click-bait headline is negated by the fact that there is no malicious software out that takes advantage of this, and if there is, you've provided absolutely no remediation information about it (because you don't know of any). While bringing people's attention to this hack is important, you've essentially lied in your headline to get panic clicks and that's incredibly scummy of you.
    • Tara Seals on

      Actually, vulnerabilities are reported all the time that haven't yet been seen to be exploited in the wild -- and it makes them no less newsworthy. As I mention in the article, I've reached out to the researcher for more information on real-world exploitation methods (and thus remediation techniques." As for the use of zero-day, it's a previously unknown bug that lacks a patch that works. People can debate the use of the term "zero day," but "scummy" is perhaps a strong word. We are also not the only publication to use it in this context.
      • Brian on

        How dare you attack Tara like this, "JoeB"! She has more journalistic integrity in her little finger than you will ever have in a lifetime! Are you also going around to every site (there are many) that have an article with "zero-day" phrasing in the title? No? Then stop being such a Negative Nelly and perhaps say something productive! Threatpost is a beacon of IT Security headlines and news, and you shall not sully the name of this publication any further on my watch. How absolutely dare you, sir. In any case, this type of vulnerability seems like the kind that would need a malicious program to execute in order to exploit. Nothing to worry about, case closed. Thanks for your time!
    • ITSecAnon on

      Joe, the definition of zero day vulnerability is: "A zero-day vulnerability is a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the flaw. It has the potential to be exploited by cybercriminals." The article headline states "zero day"... it does not state "zero day exploit" or "zero day attack". So what exactly is the issue with using this terminology in the headline? This Steam vulnerability is indeed a zero-day vulnerability...
  • Some person on

    Yes. Thank you for reporting on a problem that affects millions of people, as well as making it an even bigger situation and spreading further news to people that have the intentions of harming sensitive data and etc.
  • Some person on

    Alright, Mr White Knight. Or should I say "Nice Guy"? Get off the internet if you're gonna act like a 12 year old
  • robin jack on

    thanks for sharing this info.
  • Douce on

    ....says the 13 year old.....
  • Important Businessman on

    Solid article. Thank you. Stupid initial comment. But nice reply. I hope Steam can get this taken care of before the coming attacks.
  • Theo on

    Excellent article, not sure this inane troll even deserved a reply.
  • whocares on

    There are no fake headlines here. If there is a new "wanacry" like virus out there waiting for a zeroday exploit to be leaked - we are all in deep shit because of this zero-day exploit. Who do not have steam installed seriously? Most men ages 8-30 lol. And then they can use those machines for getting mail lists, facebook accounts, friends, send phishing emails to friend lists, on facebook too, spreading to all over the world bigger than ever seen before. This shit is serious!
  • Mack Train on

    Do they or do they not need actual physical access to my computer in order for this to be an issue for me?
    • RussInKS on

      Sure sounds like it. My reading of it is that they need the ability to edit your registry, or they need to have already compromised your machine enough to drop a file in a location pointed to by an existing symbolic link. I'm not even sure I can find this meeting the definition of an exploit.
      • Tara Seals on

        It's a vulnerability, not an exploit.
      • Tara Seals on

        You don't need physical access. I'm updating the story now with the information Vasily gave me on exploit methods.
    • Tara Seals on

      The attacker would need to have an account on the system in question and he can then use that account to attempt unauthorized tasks. This is mainly an issue for business users, including those that use their personal devices for work. Here's a primer on why local privilege escalation can be problematic: http://www.admin-magazine.com/Articles/Understanding-Privilege-Escalation.
  • Omar on

    what is the threat to linux machines?
  • Billy on

    This is not a zero day exploit. If someone gets physical access to your PC, guess what.....they own it. Thanks for letting us know but you didn't have to make it sound like " run home and uninstall". Something that can infect your PC by going to a website or just receiving an email, you know something that doesn't rely on physical access or you clicking to install something is a zero day exploit. The original comment might have been a bit harsh but he's dead on about the alarmist reporting in this article.
    • Tara Seals on

      Actually, as noted in the article, the researcher seemed concerned that a program could be written to exploit this -- i.e., that an attacker could use a malicious download to be able to remotely elevate privileges. As I also said in the article, I've reached out to him to clarify that and ask about attack vectors but haven't yet gotten a response. And as for "alarmist" -- I didn't say it was an exploit, nor did I say anywhere in the article that one was circulating in the wild. Vulnerabilities and exploits are not the same thing. I also never said the sky was falling, or that anyone should run home and uninstall Steam. I reported on a previously unknown vulnerability that doesn't have an effective patch (according to the researcher) -- which is our definition of "zero day."
      • Trash journalism on

        How can you think critically and still believe that having a headline "Gamers Beware: Zero-Day in Steam Client Affects All Windows Users" is not alarmist? You're a joke.
        • ITSecAnon on

          No where does the vulnerability state you need physical access. What are you even talking about? You DONT need physical access to exploit this vulnerability. Since when do you need physical access to a machine to create a symbolic link? Do you even know what a computer is?
  • steam user on

    Great article, sounds like JoeB works for valve.
  • AJ on

    If one is that concerned about this, log back onto your laptop and disable your WiFi, if you're LAN'd then just pull out the Ethernet cable. Uninstall Steam fully... DISCLAIMER: Trawling through and messing around with the registry can cause your machine serious issues, so only do this if you know what you're doing... Run Regedit and delete any keys (or folders) Steam leaves behind or any associates you don't know. Ensure your AV is up to date (and it always should be, if you're lazy then that's your fault) and ensure any deep scan you do looks for rootkits! If it were me that's what I would do first and foremost. With no internet connection, no one can take anything (or take anything more than they already have done...)
  • Tarc on

    I suppose more than 4 people would have to be using one first to know...
  • Rick Huddy on

    The bypass is vaguely interesting, but considering the _actual_ (symlink priv escalation) threat has already been patched, this now needs a fairly convoluted route to make the attack viable (replace two files with older, unpatched versions, which requires you to have access to the target in the first place), and is only realistic if you already have a foothold on the target computer. Frankly, if an attacker has the ability to get filesystem access then you've _way_ bigger problems than them messing with your steam DLL's.
  • Alex remnick on

    Good grief the trolls are out in force. Tara you did fine. Nevermind the mansplaining troll. No wonder there isn't that many women in tech geeze.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.