Steam Patches Broken Crypto in Wake of Replay, Padding Oracle Attacks

The digital gaming platform Steam was quick to patch a cryptographic issue in the client recently that could have allowed an attacker to read sensitive information sent over its network, take over an account, or view plain-text passwords.

The digital gaming platform Steam was quick to patch a cryptographic issue in its client recently that could have allowed an attacker to read sensitive information sent over its network, take over an account, or view plain-text passwords.

Valve, the Bellevue, Wash.-based video game developer that oversees the platform, rolled out new code on its servers late last year to address a handful of issues in its crypto brought to light by a researcher. The private disclosure included flaws he used to leverage a man-in-the-middle attack, a replay attack, and a padding oracle attack. The researcher strung together those flaws to determine that with enough tries he could glean user information from the service.

Nathaniel Theis, who goes by the handle XMPPwocky, described on Monday some fallbacks of the platform’s crypto in an in depth post to

Theis was able to sniff data sent through CMsgClientLogon messages, which are messages sent through Steam to help identify users. The messages include information on user accounts, including their account_name, password, login_key, and sha_sentryfile, a field that helps identify a user’s machine to the platform through SteamGuard, Steam’s authentication tool.

It took a few tries but a proof of concept program Theis devised was able to spit out those fields. With his program, he was able to perform a simple packet capture (.PCAP) of a user – in this case just a test account – connecting to Steam and decrypt the session through an eavesdropping replay attack.

In replay attacks, valid data transmissions are fraudulently repeated. By doing this, he could pull a message known as a ChannelEncryptMessage and any subsequent messages it sent along to Steam to decrypt.

A handful of issues exist in the way Steam’s crypto is set up, but one of the ones that led to Theis getting the information he was looking for was that its library, CryptoPP, doesn’t validate all padding. Theis told Threatpost via email on Tuesday that while there isn’t anything inherently insecure about CryptoPP, the way it handles padding is unusual and complicated the attack a bit.

Theis was able to use a padding oracle attack and add blocks to the end of ciphertext and get a response from Steam’s servers.

“Steam would decrypt any ciphertext sent to it. But it wouldn’t send the decryption back,” Theis told Threatpost, “The issue was that its response depended on whether the decryption was correctly padded or not; essentially, if it ended in one of several magic sequences.”

Padding oracle attacks are a known method for obtaining sensitive information from cryptographic hardware or software applications that do cryptographic operations.

“I can write my padding oracle to work entirely by appending blocks to the end of any ciphertext I want that gets a response. Steam uses protocol buffers, which should generally ignore any extra stuff on the end they don’t recognize (for forwards compatibility)” Theis wrote in his disclosure.

The attack built upon a previous technique in which Theis discovered he could carry out a man-in-the-middle attack on an established Steam session. This technique was trickier, Theis claims, because a corrupt message could prompt the service to close a connection, and restart, something that would almost definitely impede the time it’d take to carry out an attack.

“An attacker would need access to a victim’s network connection, the ability to modify (not just read) packets in transit, and a large amount of time – maybe even days! – in which the victim doesn’t notice their Steam connection constantly restarting,” he rationalized.

The crux of the attack depends on capturing a ChannelEncryptResponse message from Steam, along with a victim’s encrypted session key to get Steam to decrypt the session. Steam itself was the padding oracle, Theis told Threatpost and the code he used enabled the padding oracle to decrypt anything he wanted.

“No need for MITM – just the ability to eavesdrop. No issues with time – as long as I see the start of the connection, I’ve got what I need,” he wrote, “and if the connection was closed, I could just restart it. I could even run the attack in parallel, between all Steam servers, massively speeding it up.”

Theis, a 19-year-old college freshman, worked with a fellow hacker that goes by the handle Zemnmez on the proof of concept. The two notified Steam as soon as they discovered the platform was vulnerable to a padding oracle attack and the company was quick to address it. Theis claims they reported the issue at 3:12 a.m. on Dec. 5 last year; Steam had mitigations in place later that day, by 2:45 p.m.

Before the fix, Steam gave Theis an explicit error response when he sent messages with valid padding. The technique, one of the first he attempted, was successful, and decrypted things, but corrupted them. Steam fixed that issue, Theis claims, by making it so the server wouldn’t respond to invalid CMsgClientLogon messages, something the company told him would “mitigate the most obvious and important attacks that could be possible against logon credentials.”

The two have broken plenty of things in the past, but Steam has long been a favorite. Theis estimates that between the two of them they’ve discovered at least 50 different cross-site scripting (XSS) vulnerabilities in Steam websites alone — bugs that could let attackers steal in-game items and generate requests. Zemnmez has been in Steam’s Hall of Fame from 2013 to 2015. The company added Theis to its list following this discovery.

Steam acted speedily when it came to physically rolling out the updated crypto as well – the company pushed the fix to beta on Dec. 9, just four days after they got a mitigation in place. The next day, Dec. 10, it was pushed to release.

Another issue that Steam addressed with the fix was that it failed to authenticate encryption with a Message Authentication Code (MAC), something that would’ve realistically prevented what Theis and Zemnmez were trying to do in the first place.

When Steam rolled out its new crypto, they included a MAC, Theis claims, but he remains somewhat skeptical.

“I feel uncomfortable about the MAC because it’s very nonstandard; the MAC is actually used as part of the IV, and the message still must be decrypted before checking the MAC,” Theis told Threatpost. “They say they are ‘very careful’ to not leak timing information as part of this, and it’s probably good enough in practice, but it’s still concerning,”

Steam claims its rewriting the platform to use TLS – Transport Layer Security – something that would likely be best way to secure the service. But as Theis notes, even if the company did pin its keys correctly, time can often be a nebulous concept in the world of Valve, who did not respond to a request for comment for this story.

For now, assuming users don’t lose their phone, Theis stresses that Steam’s mobile authenticator, a form of two-factor authentication, is probably the best countermeasure to attacks on the service.

“As attack mitigations go, the mobile authenticator is amazing as far as the scope of possible attacks it just shuts down. Only real issue is that the mobile authenticator can confirm its own trades; so if somebody does get into your phone, they can trade all your items away and you’re sort of out of luck.”

Suggested articles