More than 50 million users of the Steam gaming and media distribution platform are at risk for remote compromise because of weaknesses in the platform’s URL protocol handler, a pair of researchers at ReVuln wrote in a paper released this week.
Luigi Auriemma and Donato Ferrante discovered a number of memory corruption issues, including buffer and heap overflows that would allow an attacker to abuse the way the Steam client handles browser requests. Steam runs on Windows, Linux and Mac OSX.
The steam:// URL protocol is used to connect to game servers, load and uninstall games, backup files, run games and interact with news, profiles and download pages offered by Valve, the company that operates the platform. Attackers, Auriemma and Ferrante said, can abuse specific Steam commands via steam:// URLs to inject attacks and run other malicious code on victim machines.
“We proved that the current implementation of the Steam Browser Protocol handling mechanism is an excellent attack vector, which enables attackers to exploit local issues in a remote fashion,” Auriemma and Ferrante wrote. “Because of the big audience, the support for several different platforms and the amount of effort required to exploit bug via the Steam Browser Protocol commands, Steam can be considered a high-impact attack vector.”
A large part of the problem rests in the fact that most browsers don’t ask for user permission before interacting with the Steam client, and those that do, don’t explain there could be a security issue. As a result, users could be tricked into clicking on a malicious steam:// URL or redirect browsers via javascript to a malicious site, the paper said.
The paper details five new remotely exploitable vulnerabilities in not only Steam, but also in the Source and Unreal game engines. Some of the games running on the affected platforms include Half-Life 2 Counter-Strike, Team Fortress 2, Left 4 Dead, Nuclear Dawn, Smashball and many others.
One of the more dangerous vulnerabilities discovered is involves the retailinstall command that allows Steam to install or restore backups from a local directory. An attacker can abuse the directory path to point to a remote network folder and then attack the function that processes a .tga splash image which is vulnerable to an integer overflow attack. A heap-based overflow results and an attacker could remotely execute code.
To exploit the Source game engine, Auriemma and Ferrante used a malicious .bat file placed in the startup folder of the user’s account that executes upon the gamer’s next login.
The pair also found several integer overflow flaws in the Unreal gaming engine by taking advantage of a condition where Unreal supports the loading of content from remote machines via Windows WebDAV or a SMB share. Malicious content could be remotely injected in this way.
Auto-update function vulnerabilities in a pair of games, All Points Bulletin and MicroVolts, were also discovered and exploited. The researchers were able to exploit a directory traversal to overwrite or create any malicious file.
Users reduce the impact of these issues by disabling the steam:// URL handler or using a browser that doesn’t allow direct execution of the Steam Browser Protocol. Steam could also deny the passing of command-line arguments to remote software.