Steam Zero-Day Vulnerability Affects Over 100 Million Users

Lawrence Abrams

August 8, 2019
05:13 PM
20

Steam

The popular Steam game client for Windows has a zero-day privilege escalation vulnerability that can allow an attacker with limited permissions to run a program as an administrator

Privilege escalation vulnerabilities are bugs that enable a user with limited rights to launch an executable with elevated, or administrative privileges. With Steam having over 100 million registered users and millions of them playing at a time, this is a serious risk that could be abused by malware to perform a variety of unwanted activities.

The privilege escalation vulnerability

Two researchers publicly disclosed a zero-day vulnerability for the Steam client after Valve determined that the flaw was "Not Applicable." When the vulnerability was submitted to Valve's bug bounty program on HackerOne, the company chose not award a bug bounty or give an indication that they would fix it, and told the researchers that they were not allowed to disclose it.

In a report published yesterday, security researcher Felix was analyzing a Windows service associated with the Steam client called "Steam Client Service". When started, this service launched its executable with SYSTEM privileges on Windows. The researcher also noticed that the service could be started and stopped by the "User" group, which is pretty much anyone logged on the computer.

The registry key for this service, though, was not writable by the "User" group, so it could not be modified to launch a different executable and elevate its privileges to an administrator.

The researcher did find something strange, though. When the service was started and stopped, it gave the "Users" group full write access to the subkeys under the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key.

"I created test key HKLM\Software\Wow6432Node\Valve\Steam\Apps\test and restarted the service (Procmon’s log is above) and checked registry key permissions. Here I found that HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit “Full control” for “Users” group, and these permissions inherit for all subkeys and their subkeys. I assumed that RegSetKeySecurity sets same rights, and something interesting would happen if there were a symlink. I created a link from HKLM\SOFTWARE\Wow6432Node\Valve\Steam\Apps\test to HKLM\SOFTWARE\test2 and restarted the service."

The researcher then tried configuring a symlink from one of these subkeys to another key for which he did not have sufficient permissions. After restarting the service, he saw that it was now possible to modify that key as well.

With this knowledge in hand, the researcher realized that any Registry key could be modified by simply creating a symlink from a subkey under HKLM\Software\Wow6432Node\Valve\Steam\Apps to a secure Registry key and then restarting the service.

This could allow a service running with SYSTEM privileges to be modified so that it launched a different program with elevated rights.

Thus a privilege elevation vulnerability was born.

PoC disclosed by another researcher

After Felix disclosed the vulnerability in a write up, a second researcher named Matt Nelson, who is well known for discovering privilege escalation vulnerabilities under the enigma0x3 alias, shared a proof-of-concept (PoC) script on GitHub that abuses the flaw.

Nelson's PoC creates a symlink back to the HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service so that it could change the executable that is launched when the service is restarted.

If the PoC is successful, a Windows command prompt with Administrative privileges will be launched in the background, as shown below.

**Command Prompt with Elevated Privileges**

Nelson says that he too had disclosure issues with Valve.

A source familiar with the matter has stated that HackerOne has reopened the bug report to further investigate it.

BleepingComputer has contacted Valve for more questions on why the vulnerability was not fixed, but had not heard back at the time of this publication.

Lawrence Abrams

Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Comments

cpunoob - 3 years ago
should i uninstall?
i rarely use it
GT500 - 3 years ago
A malicious program would have to execute on your computer in order to exploit this. As long as you don't download and run suspicious programs, or only run such programs in a Virtual Machine or sandbox, then the vulnerability is not a serious threat.

That being said, if you don't really use a program, it's always worth considering whether or not you need to keep it installed.
GT500 - 3 years ago
Out of curiosity, why is this considered a vulnerability in Steam? This sounds more like a vulnerability in Windows to me.
EmanuelJacobsson - 3 years ago
Probably because it only is for steam and does not work for any other program.
the_moss_666 - 3 years ago
Giving "full control" to "users" group is Steam's fault. Steam client needs system privileges to run, but giving the access to everyone? And even when they got contacted about it, they got too proud to admit it, too lazy to fix it and too greedy to pay their bug bounty.
Chiragroop - 3 years ago
This is a Steam problem. The thing is, the Steam service when run will give users Full control of a key and its subkeys without verifying anything. So, you can create a symlink to another key that users can't access, and the next time the service runs, it is going to modify permissions of the symlinked key, giving the user full access to a key they did not originally have access to. This has everything to do with Valve/Steam not verifying if the key is a symlink (at a basic level, although better permission model would be an even better idea)
Lawrence Abrams - 3 years ago
Agreed. It is unknown what that key/subkeys are for, but simply removing that code that gives the key permissions would resolve the issue.

Not sure if that would screw something up, but it's fully on Steam's end to fix.
GT500 - 3 years ago
It doesn't sound like it's Steam that's allowing the key to be symlinked to other keys, or which is allowing you to bypass permissions on the keys you symlink to the Steam key in question. That sounds like a bypass of Windows registry permissions to me. Aside from Steam setting the permissions on that registry key, it sounds like it has nothing to do with the supposed vulnerability.
Lawrence Abrams - 3 years ago
Creating a link to another Registry key is a microsoft feature, but if proper security was in place that symlink would have the same permissions of the linked to key.

The problem is that Steam's service is change the permissions of any subkey under a particular key. So by creating a symlink under that key, it to gets its permissions changed and thus making the key writable.

So this definitely falls under Steam's umbrella because they are making those permission changes for some reason.

And as the service runs with System privileges they can change the perms of any key they want.

So ultimately the symlink isnt the issue, its that the steam service is changing the perms for some reason.
GT500 - 3 years ago
OK, if Steam is changing the permissions for the symlinked key, then that's certainly a Steam issue.
eLPuSHeR - 3 years ago
Agreed. In my eyes is Valve's fault. I guess they will patch it the silent way.
M - 3 years ago
Valve determined that the flaw was "Not Applicable...

When arrogance comes first
TyrantT00 - 3 years ago
Considering how up-in-arms all of these Steam kids are about supposed security vulnerabilities with the Epic Games Store I KNOW they will be really upset about this... right?
xWaLeEdOoOx - 3 years ago
Thats is not a steam issue. Any application that allows normal users to self update has this same exploit.
This is a windows registery exploit known for years and can be done since windows XP, for example no matter what user you are running CMD from in windows XP SP1 and before the CMD will ALWAYS have administrator permissions.

Until microsoft finds a way to do shit without registry it will always have those crappy exploits running from all kind of apps.
Lawrence Abrams - 3 years ago
Many programs that self-update request a UAC prompt. Explain to me how this is necessary.
xWaLeEdOoOx - 3 years ago
Same with drivers, services run as system user can be used without the need for UAC as long as they are active (started).

Thats how windows works.

Steam runs the steamservice. This service is required to install games and updates without the need for UAC to copy files and replace them (because most people install steam in program files folder which is write protected)

And so using this steam loophole on paper sound insane but going back to who exactly can use this you know that valve allows only steam software to use it not even the games thats why when a game require extra apps like GTA V requiring Rockstar app it WILL ask for UAC.

Regarding the exploit that Editing a registry key to allow missuse of this service is not steam's fault because you can do the same exploit on any app that has access to system files and ran by system user as service, if so all anti viruses "espisially" will also be guilty.

To missuse this steamservice it requires manual editing to a specific registry key which requires human or a virus to do so and misusing a knife is never the maker's fault.

The key here is still the USER must never launch any unauthorized unknown app and thats the job of AV and security softwares to help ignorant users and prevent such malicious activities (registry tampering).
Lawrence Abrams - 3 years ago
Unfortunately, what you are saying is not accurate.

First, the auto-update procedure could request elevated privileges via a UAC prompt. Valve chose not to do this. So saying self-update requires this is not true.

As for the vulnerability in question, you need to reread the article. This issue is not about editing a registry key. This issue is caused by the steam service giving the "USERS" group "FULL" permissions to all the subkeys under a particular registry key that can be edited by anyone. This is done every time the service was restarted.

Without that ACL change, this exploit could NOT work.

Just because a vulnerability can only be exploited by a local attacker or malware does not mean it;s still not a vulnerability. That is what an LPE (local privilege escalation) attack means.

"The key here is still the USER must never launch any unauthorized unknown app and thats the job of AV and security softwares to help ignorant users and prevent such malicious activities (registry tampering)."

Once again not true. It is the software developer's job to create registry keys that contain permissions that do not allow the "USERS" group to perform registry tampering. Windows or AV programs do not control what permissions the software installer uses. That's the developer's job.

Finally, Steam has still not fixed the issue where they give the "USERS" group "FULL" permissions to the Steam install folder. This allows another LPE attack via DLL hijacking.

https://www.bleepingcomputer.com/news/security/steam-security-vulnerability-fixed-researchers-dont-agree/
cpunoob - 3 years ago
im gonna uninstall,

something wrong lol
froze on uninstall,

i think its just huge files 8)
InfoQChina - 3 years ago
I am an editor at http://InfoQ.cn , May I translate your post into Chinese for appropriate credit.
Lawrence Abrams - 3 years ago
Yes, thanks for asking.