Researcher Discloses Second Steam Zero-Day After Valve Bug Bounty Ban

After Valve banned him from its bug bounty program, a researcher has found a second zero-day vulnerability affecting the Steam gaming client.

A researcher has disclosed a zero-day privilege-escalation vulnerability for the Steam gaming client after he said he was barred from the bug bounty program of Steam’s owner, Valve.

The vulnerability is the second zero-day privilege-escalation vulnerability that has been released by independent researcher Vasily Kravets in two weeks for the Steam gaming client, which is a video game digital distribution platform developed by Valve Corporation.

Despite being banned from Valve’s bug bounty program on the HackerOne platform, Kravets on Tuesday disclosed a new flaw in the Steam client that he said would be simple for any OS user to exploit. “Not long ago I published an article about Steam vulnerability,” said Kravets in a Tuesday evening post. “I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence. Eventually things escalated with Valve and I got banned by them on HackerOne — I can no longer participate in their vulnerability rejection program (the rest of H1 is still available though).”

Kravets disclosed his first zero-day vulnerability earlier in August affecting Steam. The flaw, disclosed Aug. 7, is a privilege-escalation vulnerability that can allow an attacker to level up and run any program with the highest possible rights on any Windows computer with Steam installed. It was released after Valve said it wouldn’t fix it (Valve then published a patch, that the same researcher said can be bypassed).

Like last week’s vulnerability, the newest flaw found by Kravets, also enables local privilege escalation. Kravets told Threatpost he is not aware of a patch for the vulnerability.

This most recent vulnerability stems from a combination of insecure permissions in Steam’s folders, insecure permissions in Steam’s branch of registry and insufficient checks during Steam’s self-update process, Kravets told Threatpost.

No specific privileges and requirements are needed for an attacker to take control of the game client – while the privilege escalation attack is local, someone wouldn’t need physical access: “Any user on a PC could do all actions from exploit’s description (even ‘Guest’ I think, but I didn’t check this). So [the] only requirement is Steam,” Kravets told Threatpost.

To prepare the exploitation environment Kravets said he first obtained the CreateMountPoint.exe and SetOpLock.exe files. Then, he made small changes to Steam file structure: “Our goal is to have folder with Steam.exe and steamclient.dll, and without ‘bin’ folder,” he said.

This can be done in two ways: renaming/removing big folders from Steam root folders, or changing the InstallPath value to a path to any folder in the HKLM\SOFTWARE\Wow6432Node\Valve\steam registry key.

After these changes have been made, Kravets said it is possible to execute a dynamic link library (DLL) within the Steam Client Service (a video demo of the attack is below) due to the insufficient checks existing in the self-update process, enabling “maximum privileges” for the user.

With Steam saying that it has more than a billion registered users worldwide (and 90 million active users, who sign up to play games like Assassin’s Creed, Grand Theft Auto V and Warhammer), the implications of such privilege escalation attacks are potentially massive.

“Despite any application itself could be harmful, achieving maximum privileges can lead to much more disastrous consequences,” said Kravets. “For example, disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft any PC user’s private data — is just a small portion of what could be done.”

After finding the first vulnerability that was disclosed earlier in August, Kravets submitted a bug report on June 15, which was rejected on June 16 because the bug enables “attacks that require the ability to drop files in arbitrary locations on the user’s filesystem.” After disputing this, the report was reopened – and then closed again on July 20 for the same reason, along with a note that “attacks…require physical access to the user’s device.”

steam zero day valve

HackerOne Message Provided By Kravets

Though HackerOne told Kravets that he was not allowed to publicly release the bug details, he did anyway 45 days after the initial disclosure. Since then, the HackerOne report was reopened, and Steam has updated the client to address a “privilege escalation exploit using symbolic links in Windows registry.” However, Kravets said that another researcher showed the fix could be bypassed.

From there, Kravets said “eventually things escalated with Valve” and he ultimately received a message from HackerOne saying “Team Valve has elected to no longer receive reports from you.”

” In short, Valve and H1 decide to remove me from program due to my public disclosure,” Kravets told Threatpost. “I fully understand this and have no objections. But I still think that the first disclosure [was the] right move. Before my post Valve had no intensions to patch the vulnerability. A vulnerability is a vulnerability even if it [does] not fit into the security model.”

Other researchers that have participated in Valve’s bug bounty program have criticized the company for its program and how it treats vulnerabilities such as local privilege escalation.

At this point, after being banned from Valve’s bug bounty program, Kravets told Threatpost he has not yet heard from Valve as of Wednesday regarding the most recent vulnerability.

“It’s sad and simple — Valve keeps failing,” Kravets said. “Last patch, that should have solved the problem, can be easily bypassed (https://twitter.com/general_nfs/status/1162067274443833344) so the vulnerability still exists. Yes, I’ve checked, it works like a charm.”

Valve did not respond to a request for comment about the vulnerability, bug bounty incident and whether a patch is available. HackerOne did not have a comment.

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles