Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Steam Security Vulnerability Fixed, Researchers Don't Agree

Accepted submission by exec at 2019-08-13 12:23:14
News

Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3

Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [BleepingComputer]

Time: 2019-08-13 04:23:24 UTC

Original URL: https://www.bleepingcomputer.com/news/security/steam-security-vulnerability-fixed-researchers-dont-agree/ [bleepingcomputer.com] using UTF-8 encoding.

Title: Steam Security Vulnerability Fixed, Researchers Don't Agree

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---

Steam Security Vulnerability Fixed, Researchers Don't Agree

Arthur T Knackerbracket has found the following story [bleepingcomputer.com]:

Steam Security Vulnerability Fixed, Researchers Don't Agree

Android Security: A Peek Behind the Scenes

Apple Issues Solutions for Macs Unable to Access Windows Shares

4G Router Vulnerabilities Let Attackers Take Full Control

Curious Orca BEC Scammers Use Email Probes to Validate Targets

HVACking: Remotely Exploiting Bugs in Building Control Systems

Android Security: A Peek Behind the Scenes

Steam Security Vulnerability Fixed, Researchers Don't Agree

AuroraDecrypter

FilesLockerDecrypter

360 Total Security

Skype Classic

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Remove the ExtenBro DNS Changing Trojan

Remove the Download Is Ready. click Allow to download You File Notification Page

Remove the Qbit Speedup Pro

Remove the Windows protected your PC Tech Support Scam

Remove Security Tool and SecurityTool (Uninstall Guide)

How to remove Antivirus 2009 (Uninstall Instructions)

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

Locky Ransomware Information, Help Guide, and FAQ

CryptoLocker Ransomware Information Guide and FAQ

CryptorBit and HowDecrypt Information Guide and FAQ

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

How to Enable the Windows 10 Tamper Protection Security Feature

How to Export a Registry Key in Windows

How to Restart the Windows Explorer.exe Process

How to Open a Windows Command Prompt

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

eLearning

IT Certification Courses

Gear + Gadgets

Security

Valve has pushed out a fix for a zero-day Steam Client local privilege escalation (LPE) vulnerability, but researchers say there are still other LPE vulnerabilities that are being ignored.

Security researchers Matt Nelson [twitter.com] and Vasily Kravets [twitter.com] both recently discovered the same vulnerability [bleepingcomputer.com] in the widely used Steam Client software and were told that Valve would not be fixing it because it was "out of scope" of their vulnerability reporting program.

After the massive outcry generated by this decision, Valve has changed its mind and released a fix. Unfortunately, though, another similarly reported vulnerability still exists.

The recently reported zero-day vulnerability was caused by the "Steam Client Service" Windows service giving the "USERS" group full permissions on any subkey under the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key when the service was restarted.

With this knowledge in hand, the researchers figured out that they could create a link under this Registry key to another key that they did not have permission. When they restarted the Steam Client Service, the service would give that link full permission and thus also give the researchers permission to any other key in the Registry.

This could then allow them  to elevate the privileges of any program they wish on the computer, including malware.

To fix this, in the Steam Client Beta Valve made it [steamcommunity.com] so that the Steam service would  check the subkeys of the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key using the RegQueryValueExA function as shown  below.

If the RegQueryValueExA function returned that the specific subkey was indeed a link, or REG_LINK, it would break out of the function and not give the "USER" group Full permission to the key.

While Valve may have fixed this one particular vulnerability in the "Steam Client Service", researchers still say that there is a big gaping hole that was reported a long time ago and that can still be abused by attackers and malware to elevate their privileges.

Vulnerability researcher and 0Patch co-founder Mitja Kolsek [twitter.com] told BleepingComputer that the "Steam Client Service" could still be used to elevate a user's privileges through the DLL hijacking.

This vulnerability exists because the "USERS" group is given full permission to the Steam installation folder located at C:\Program Files (x86)\Steam. This means that an attacker can simply replace DLLs residing in that folder with a malicious copy that gives the attacker administrative access to the machine when it is launched by an elevated process or service.

This bug is not new either. 

Nelson told BleepingComputer that this issue has been present for a while, but has not been fixed. 

"Yeah, C:\Program Files (x86)\Steam being completely open is a terrible issue that has been present for quite some time. They do attempt to do some signature validation on those files, but I doubt its sufficient."

In fact this issue was reported in 2015 [packetstormsecurity.com], given the CVE ID of  CVE-2015-7985, and to this day still has not been fixed.

"A privilege escalation vulnerability has been identified in that the Steam Microsoft Windows client software is installed with weak default permissions. These permissions grant read and write access to the Windows Users group for the install folder. This includes Steam.exe which is launched upon user login."

These permissions are allegedly required [1 [twitter.com]] so that the Steam client software can self-update itself and other games.

When BleepingComputer asked Kolsek why Steam would need these permissions rather than just using an update procedure that requested elevated permissions, we were told:

"There is NO valid reason for a privileged service to have executable modules modifiable by normal users."

BleepingComputer has reached out to Valve for comment as to why this vulnerability, and others like it, are not being fixed when reported to them through their bug bounty program.

We have not heard back at the time of this publication.

Not a member yet? Register Now [bleepingcomputer.com]

Canon DSLR Camera Infected with Ransomware Over the Air

Beware of Fake Microsoft Account Unusual Sign-in Activity Emails

To receive periodic updates and news from BleepingComputer [soylentnews.org], please use the form below.

Copyright @ 2003 - 2019 Bleeping Computer® LLC [bleepingcomputer.com] - All Rights Reserved

Not a member yet? Register Now [bleepingcomputer.com]

-- submitted from IRC


Original Submission