Stories
Slash Boxes
Comments

SoylentNews is people

Steam Security Vulnerability Fixed, Researchers Don't Agree

posted by janrinok on Tuesday August 13 2019, @04:35PM   Printer-friendly
from the fix-one-bug.-create-another dept.

"exec" writes:

Arthur T Knackerbracket has found the following story:

Valve has pushed out a fix for a zero-day Steam Client local privilege escalation (LPE) vulnerability, but researchers say there are still other LPE vulnerabilities that are being ignored.

Security researchers Matt Nelson and Vasily Kravets both recently discovered the same vulnerability in the widely used Steam Client software and were told that Valve would not be fixing it because it was "out of scope" of their vulnerability reporting program. After the massive outcry generated by this decision, Valve has changed its mind and released a fix. Unfortunately, though, another similarly reported vulnerability still exists.

The recently reported zero-day vulnerability was caused by the "Steam Client Service" Windows service giving the "USERS" group full permissions on any subkey under the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key when the service was restarted.

With this knowledge in hand, the researchers figured out that they could create a link under this Registry key to another key that they did not have permission. When they restarted the Steam Client Service, the service would give that link full permission and thus also give the researchers permission to any other key in the Registry. This could then allow them  to elevate the privileges of any program they wish on the computer, including malware.

To fix this, in the Steam Client Beta Valve made it so that the Steam service would check the subkeys of the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key using the RegQueryValueExA function as shown below.

If the RegQueryValueExA function returned that the specific subkey was indeed a link, or REG_LINK, it would break out of the function and not give the "USER" group Full permission to the key.

While Valve may have fixed this one particular vulnerability in the "Steam Client Service", researchers still say that there is a big gaping hole that was reported a long time ago and that can still be abused by attackers and malware to elevate their privileges.

Vulnerability researcher and 0Patch co-founder Mitja Kolsek told BleepingComputer that the "Steam Client Service" could still be used to elevate a user's privileges through the DLL hijacking.

This vulnerability exists because the "USERS" group is given full permission to the Steam installation folder located at C:\Program Files (x86)\Steam. This means that an attacker can simply replace DLLs residing in that folder with a malicious copy that gives the attacker administrative access to the machine when it is launched by an elevated process or service.

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
Steam Security Vulnerability Fixed, Researchers Don't Agree | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Tuesday August 13 2019, @07:16PM (2 children)

    by Anonymous Coward on Tuesday August 13 2019, @07:16PM (#879799)

    Indeed, on Linux steam works so well it'll delete your whole home directory if you uninstall it.

  • (Score: 2) by Gaaark on Wednesday August 14 2019, @12:24AM (1 child)

    by Gaaark (41) on Wednesday August 14 2019, @12:24AM (#879903) Journal

    Pics and it NEVER happened.

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---