A zero-day vulnerability in Steam potentially threatened millions of Steam users. The researcher, after reporting the vulnerability, went for public disclosure to get the community’s attention. Fortunately, Steam has now patched the flaw.
Steam Zero-Day Vulnerability Affecting Windows
A security researcher Vasily Kravets, with alias Felix on Twitter, discovered a serious vulnerability in Steam. He allegedly found a local privilege escalation flaw that threatened around 100 million Steam users.
Stating his findings in a blog post, he explained the Steam zero-day vulnerability. Reportedly, he found that the Steam Client Service on Windows could allow an attacker elevate system privileges upon exploitation.
Precisely, Kravets explained that some strange registry operations at the start of the service. While any user from the ‘Users’ group could Start or Stop the Service, they also gained full write access to a Registry Key HKLM\Software\Wow6432Node\Valve\Steam\Apps. To further confirm his finding, he created a test key that further lead him to modify other keys as well, for which he had no permission earlier.
As explained in his blog,
I created test key HKLM\Software\Wow6432Node\Valve\Steam\Apps\test and restarted the service (Procmon’s log is above) and checked registry key permissions. Here I found that HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit “Full control” for “Users” group, and these permissions inherit for all subkeys and their subkeys. I assumed that RegSetKeySecurity sets same rights, and something interesting would happen if there were a symlink. I created a link from HKLM\SOFTWARE\Wow6432Node\Valve\Steam\Apps\test to HKLM\SOFTWARE\test2 and restarted the service.
Steam’s service sets security descriptor for our target-key… it means full (read and write) access to the key for all users… So, now we have a primitive to take control on almost every key in the registry, and it is easy to convert it into a complete EoP (Escalation of Privileges).
What Led To Public Disclosure?
Upon finding the vulnerability, Felix went on to report it to Valve via HackerOne. However, his report received a ‘not applicable status’. After continuous communication, Felix could at least succeed in letting his bug report pass to Valve. However, he, once again, faced a rejection that led him to public disclosure.
Ironically, Felix wasn’t the only person to notice the flaw. Another researcher Matt Nelson also noticed the bug at somewhat the same time as Felix. However, he too faced problems in reporting the matter. After waiting for some time, he disclosed the entire matter on Twitter.
The company at fault here is Valve (Steam). Good luck reporting anything that doesn’t fit their crappy bounty scope. https://t.co/vLHmTQ0qmq
— Matt Nelson (@enigma0x3) July 8, 2019
Recently, Nelson also managed to drop a PoC for this vulnerability on GitHub.
Here is a 0day in Steam. This bug has been publicly disclosed (https://t.co/yQxqJUi9P3), so I'm opening up my PoC. No blog post since @PsiDragon covered it nicely. https://t.co/it7wAZbnF2
— Matt Nelson (@enigma0x3) August 7, 2019
Steam Released A Fix
After back-to-back public disclosures of the vulnerability alongside PoC, Steam finally paid attention to the matter. Now, Steam has addressed this vulnerability in the beta version of the Steam Client. As stated in the announcement,
Fixed privilege escalation exploit using symbolic links in Windows registry.
At last, there is a sigh of relief for Steam users!
Let us know your thoughts in the comments.