"Earlier today, disgruntled security researcher Vasily Kravets released a zero-day vulnerability in the Windows version of the ubiquitous gaming service Steam. The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.

The vulnerability lies within Steam Client Service. The service may be started or stopped by unprivileged users. This becomes a problem because, when run,Steam Client Service automatically sets permissions on a range of registry keys. If a mischievous—or outright malicious—user were to symlink one of these keys to that belonging to another service, it becomes possible for arbitrary users to start or stop that service as well. This becomes even more problematic when you realize that it's possible to pass arguments to services that run under extremely privileged accounts—such as msiserver, the Windows Installer service.

The image walkthrough follows a few simple steps:
Demonstrate that I cannot write to C:\Windows\System32. System error message is in red.
Demonstrate that I cannot arbitrarily monkey around with registry keys under HKLM\CurrentControlSet\Services. System-error message is in red.
Delete the NSIS installer key for Steam (to give myself a target for shenanigans), then recreate it as a symlink to msiserver's registry key. Success in green.
Demonstrate that Steam's NSIS key now points to Windows' msinstaller key. Success in green.
Attempt to modify the msiserver key to run my shenanigans. I haven't started Steam Client Services yet, so this fails. System-error message in red.
Start Steam Client Services, then modify the msiserver key once Steam has helpfully opened it up for me. Success in green.
Start the newly-modified msiserver service. msiserver runs as LOCALSYSTEM, so it successfully creates a file under C:\Windows\System32. Success in green.
I did this test on a clean Windows VM; aside from Steam itself, the only code I needed to download was regln-x64.exe, a simple utility for the linking of registry keys, which requires no installation. Windows User Account Control was never triggered during this process, and the whole thing only took a few minutes. I did not have any Steam games installed, so I just monkeyed with the Steam installer.

A genuinely malicious user might use this procedure to directly pop a locally or remotely accessible shell with LOCALSYSTEM
privileges, after which they can do whatever they like with no further tricks necessary."

Rejected
The second reason for rejection is no more valid than the first: a malicious "game" developer could easily create a free-to-play "game" that reproduces all the steps of this exploit. Such a bad actor could pop a shell with LOCALSYSTEM privileges and own the user's machine.

With this second rejection, Vasily decided there was no further recourse but public disclosure, and he informed HackerOne that he would disclose after July 30. He alleges that on August 2, yet another HackerOne employee forbid the disclosure of the vulnerability, despite HackerOne having closed it repeatedly as out-of-scope while Valve itself never weighed in one way or the other.

Ars has reached out to Valve about this story, and we will update with any response.

https://arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/

[EDIT] Fix in latest BETA update https://steamcommunity.com/groups/SteamClientBeta#announcements/detail/1602638506845644644

5 years ago*

Comment has been collapsed.

So how do you avoid it?

5 years ago
Permalink

Comment has been collapsed.

No idea, atleast be very careful with recently added f2p games

5 years ago
Permalink

Comment has been collapsed.

Don't start random software from random sources. BTW, don't do it even if you don't use steam, because escalation of privileges will be the least of your problems otherwise.

5 years ago
Permalink

Comment has been collapsed.

5 years ago
Permalink

Comment has been collapsed.

Thanks added.

5 years ago
Permalink

Comment has been collapsed.

They fixed this issue in the latest Beta Update, apparently. It's just a matter of time for the regular client I guess.

5 years ago
Permalink

Comment has been collapsed.

Thanks added.

5 years ago
Permalink

Comment has been collapsed.

This is too technical for me. No idea what it means ¯_(ツ)_/¯

🐒

5 years ago
Permalink

Comment has been collapsed.

Just install latest beta update and you should be fine. ;)

5 years ago
Permalink

Comment has been collapsed.

Oki... done ✅

Ty ty 😊👍

5 years ago
Permalink

Comment has been collapsed.

Or, as a general rule, don't download and run software from sources you don't know and trust, and be more skeptical of downloading and running of free programs in general.

5 years ago
Permalink

Comment has been collapsed.

Well, assuming that Steam is the source that you can trust, the advice is not very helpful in this case.

5 years ago
Permalink

Comment has been collapsed.

Well, the Steam client by itself isn't going to do anything bad to your PC. Other software that you download and run could take advantage of the exploit in the Steam client, but then you're downloading other software - that's the software you don't want to download.

5 years ago
Permalink

Comment has been collapsed.

What about games or applications which are installed through Steam? In this case, Steam is virtually a source of a potentially dangerous software.

5 years ago
Permalink

Comment has been collapsed.

Yeah, I mean if you run or install a game from Steam and it pops up a message asking for administrator privileges, you're going to say yes anyway, so this exploit is not that big a deal in that regard I would think. It just allows increased privileges without the pop-up. Unless I am misunderstanding what the issue is.

5 years ago*
Permalink

Comment has been collapsed.

Yes, the main issue is in increasing privileges without user's concern. And you do not expect such things from a software in Steam it's kind of trusted source.

5 years ago
Permalink

Comment has been collapsed.

Earlier today, disgruntled security researcher Vasily Kravets released a zero-day vulnerability in the Windows version of the ubiquitous gaming service Steam.

Sorry, what? So the dude's unhappy and therefore decides to punish random people? Too bad doing this isn't illegal.

5 years ago
Permalink

Comment has been collapsed.

Except he tried to do it properly through Valves bug bounty program but they rejected it out of hand, twice. Valve and the company they use to run the bug bounty are the bad guys here, not the security researcher.

It's unfortunate, but if they companies in question refuse to listen then the only real recourse left is either public disclosure, or disclosure to accredited press. The press route would have been the better route probably but I don't know if he also tried that.

5 years ago
Permalink

Comment has been collapsed.

Except he tried to do it properly through Valves bug bounty program but they rejected it out of hand, twice.

Then Valve's also at fault.

But are we going to just ignore that what he did was extremely shitty?
"Hey, your window's unlocked!"
"Yeah, I don't care"
"Dude, you should lock it"
"I really don't care"
goes to the thieves guild "Oi, this window's opened"

Dude gets criticized for publicly fucking people over What, me??? How's it my fault that I publicized a huge issue in the system by sacrificing dozens of innocents for as revenge for losing out on possible monetary profits :O

Fuck him. The dude's just as much of a scumbag as Valve. Though, obviously Valve isn't innocent here. They have a huge responsibility to keep their program safe.

5 years ago
Permalink

Comment has been collapsed.

After they ignored his message two times he made it public because if not, they would not have fixed it and maybe someone else would have found it.
He could have sold this in the last 45 Days and i'm sure he could have get some nice money...

I would not blame him.

5 years ago
Permalink

Comment has been collapsed.

Just because you can do very bad things, doesn't mean that doing the just bad things is suddenly better.

He could've done many things and he would be in the legal right to do so as well most likely, but this entire conversation is about morals. Morally, things aren't suddenly good if you do something that's marginally better than some other bad thing.

For example (this still adheres to morals, not legality), it's not fine if a person pushed a senior in front of a train just because he had the option to push a child. Both are morally bad things and an argument can be made that the senior had less years to live and less of a potential for good, but that doesn't mean that this is suddenly fine. Inaction is also an option and sure, the dude waited for 45 days, but that doesn't change what he did. What stopped him from contacting a journalist to inform him of what happened? What stopped him from earning the money from the tip off and in turn also releasing info more carefully, to get attention of Valve's PR and get it solved that way?

Two wrongs don't make a right. Valve fucked up, but so did he.

5 years ago
Permalink

Comment has been collapsed.

the article first paragraph was not written well. the security research found and reported the vulnerability, he did not create it. He did not do anything wrong nor did he F-up.

5 years ago
Permalink

Comment has been collapsed.

That's what White Hat's do, they tell a company about security vulnerabilities, then give then 45 days to fix it. If it isn't fixed in 45 days the vulnerability is made public to force the company to fix it.

It's standard industry practice. Even Google's own Project Zero team operates in the exact same way.

5 years ago
Permalink

Comment has been collapsed.

Ah, thanks for being the first person to properly give some information that I wasn't aware of. It was mentioned, but all I saw was him saying "he waited 45 Days".

While I don't agree with the logic behind it, I do understand that obviously the dude did what the standard is and I can't really slate him for that.

In the meanwhile I got 5 more messages in my replies saying how the internet doesn't have bad people in it and how he technically never had another choice.

Thanks for the response! :)

5 years ago
Permalink

Comment has been collapsed.

That was not some random window that was unlocked. That was my and your window, in our house that we rent from Valve. And Valve doesn't care (until there's a public outcry). And he went not to the thieves' guild but to the general public. He had no reason not to exploit this vulnerability himself except his honesty.

5 years ago*
Permalink

Comment has been collapsed.

And he went not to the thieves' guild but to the general public.

Sorry, what do you think the Internet is exactly? Do you really think that we're in a space without a shitload of hacker groups, malicious black hats and other script kiddies looking to prove themselves or to just wreak havoc?
Alright, maybe saying "thieves guild" was too much since it's easy to interpret it as the Internet being just a band of mercenaries, but what I compared it to needed that, because it needed to balance out the serious threat that was presented. In the physical world, localized threats being vocalized is less impacting since you have actual physical spaces. But right now, with that announcement, he showed the problem to hundreds of malicious actors. All it takes is one malicious actor to cause a lot of problems.

This is whistleblowing at its worst. Where sensitive and potentially harmful information is leaked nonchalantly.

Had he been this good guy who was driven to this act, he'd have raised the issue with the press, who would've been very interested in getting the scoop for, what is a massive flaw in the system, leading Valve's PR attention to him, leading him to his reward and the fix being implemented. Again, Valve's just as much at fault here. They have a duty to assure the safety of their consumers as well.

5 years ago
Permalink

Comment has been collapsed.

Your analogy is wrong because the responsible and the victim in it are the same person. In our case the responsible is Valve but the victims are Steam users. An analogy would be:

You: "Hey, the school lockers can easily be opened without a key doing this, we should fix it"
Director: "Nah, it's fine"
You: "But see, it's easy to just open any locker"
Director: "I don't care"
You put a notice in the school informing everyone how the lockers can easily be opened.

If you don't do that, some other people will find out and take advantage. By informing everyone of the problem, people can take some precautions (not having anything of value in the lockers), and probably also put pressure on the school direction to actually fix it (like it happened with Valve).

Security by obscurity is not security. You can never rely on your security being: "well, people don't know about this hole". If this person didn't make this public, someone else would have found this hole (if no one hasn't already) and take advantage of it, without anybody knowing about it. By making it public, people can take some precautions, like not running Steam in a computer with sensible information until it's fixed and being cautions about what games they download from Steam.

So yes, it's the standard procedure when it comes to security holes: you inform the company responsible, give them a reasonable time to fix it, and make it public. If you've found a hole, you can be pretty sure someone else with worse intentions has also found it.

5 years ago
Permalink

Comment has been collapsed.

Your analogy is wrong because the responsible and the victim in it are the same person.

Okay. "The window to the apartment complex's hallway".

I'm not even saying my analogy was great. It's pretty weak, in fact.

By informing everyone of the problem, people can take some precautions (not having anything of value in the lockers), and probably also put pressure on the school direction to actually fix it (like it happened with Valve).

Yet this isn't a school. It's the Internet. Where you have a load of hacker groups, black hats and kids looking to prove themselves or just cause havoc. All it takes is one person taking it the wrong way. In a school you don't have a 50k students and a bunch of amateur lockpickers and lockpicking gangs. It changes the dynamic a lot and right now it changes it in a way that shows how bad the situation can actually get.

Maybe he truly couldn't contact a single journalist. Maybe the email didn't work or something. I guess he just couldn't drive attention to a potential issue without just telling people basically how to do it step-by-step. I mean, what else can he do? Get the story out there and get Valve's attention while still getting paid (maybe also from the publication)? Nah, perhaps it truly wasn't an option. Maybe it's the case. But honestly, I think it's ridiculous to think that isn't the case, considering the same thing was done, just that they literally just taught people how to fuck computers up, because that's nice. Most obnoxious type of whistleblowing. "Lol, I didn't get cash, so let's teach people how to destroy the computers of the unaware people!". Valve screwed up. So did ya boy Vasily.

5 years ago
Permalink

Comment has been collapsed.

It's the Internet. Where you have a load of hacker groups, black hats and kids looking to prove themselves or just cause havoc.

Oh, and you think these hackers don't know this already, or wouldn't have come up with it sooner or later? It's not that it's a complex vulnerability, it's a pretty basic one (and a pretty useless one against home users, BTW, since the attacker needs to be at a stage where he already can run arbitrary code on your computer). That's the real issue, and you must always assume the worst: that someone somewhere has found it and may make use of it. It must be disclosed, preferably after a fix has been released, but Valve didn't want to fix it. Really, this is just basic security stuff. Ask any security expert and he'll tell you what I'm telling you, and he'll also explain it much better than me, I'm sure. Why do you think all those CPU vulnerabilities have been made public, with very detailed info about how they work, even though they're not 100% fixed (and if you have a somewhat old CPU you're 100% vulnerable)?

I'm not sure why do you think that contacting a journalist is better. You need to give accurate technical info, a journalist is not going to do that. You need to prove that the vulnerability actually exists by giving an example of an attack. You can't go to a journalist and tell him "hey, I just found a vulnerability that allows you to do X but I won't tell anyone how it works/ how it's done" because there's no reason anyone should trust you.

5 years ago
Permalink

Comment has been collapsed.

That's not what he did, he revealed it publicly to everyone, not privately to the "Thieves Guild".

What else should he have done? Wait until someone discovered it on their own and exploited it?

5 years ago
Permalink

Comment has been collapsed.

my bad, perhaps it's finally fixed

5 years ago
Permalink

Comment has been collapsed.

Lol, you Vasily or something that you feel the need to say "my bad"? ;D

5 years ago
Permalink

Comment has been collapsed.

nope, i'm not Vasily :)
there was a message i del

5 years ago
Permalink

Comment has been collapsed.

I think you may have misunderstood what happened due to the way the article wrote it - and the article seems to purposefully misrepresent what happened in the opening line to draw attention.

Valve created the exploit by accident, it was always present in Steam. Vasily Kravets found it, and tried to report it to Steam. When Steam rejected his reports, he made it public because that's the only way to draw attention to it and get it fixed. He could have remained silent, but then the exploit would still be there, we wouldn't know about it, and it could be exploited by someone malicious and we'd never know.

5 years ago
Permalink

Comment has been collapsed.

This is pure sugar:
"Upon first reporting the bug via HackerOne, it was rejected as out-of-scope, with «Attacks that require the ability to drop files in arbitrary locations on the user's filesystem» as the reason given."
"When the researcher argued with HackerOne's staff, a second HackerOne employee eventually reproduced the exploit, confirmed the report, and sent it off to Valve. But a few weeks later, a third HackerOne employee rejected it again. The employee reiterated «Attacks that require the ability to drop files in arbitrary locations on the user's filesystem» and added «Attacks that require physical access to the user’s device» as reasons the vulnerability is supposedly out-of-scope."

If this would be Epic, the world would be burning again... But with Valve it's more like "hey they fixed it in the new Beta".
No matter that it's 45 Days after they got the firs info and after they ignored it two times...

5 years ago
Permalink

Comment has been collapsed.

SteamClient→Steam→Setting→Account→Beta Join→Change→SteamBetaUpdate→OK

Thank you info (`・Θ・´)ゞ

5 years ago
Permalink

Comment has been collapsed.

Honestly, it's bullshit. Escalation of privileges is the last thing you need to worry about. It does matter on some server, but never on desktop.
To exploit this "vulnerability" attacker first needs to start arbitrary code on your PC. And if attacker can run arbitrary code on your PC - you're already fucked, escalation or not. Most precious thing on desktop PC is user's data, and it's available without escalation of privileges.
So, for those asking how to protect - just don't run random programs from unknown sources on your PC, and you'll be safe. If there is no running malicious code - then nothing can escalate in privileges.

5 years ago
Permalink

Comment has been collapsed.

Mostly this. Every time you install anything it's probably going to pop up and ask you for admin privileges -- what are you going to say, no? Of course not, or you wouldn't be installing it. And if that contains some code somewhere designed to own you, you're already done. This just allows things that run without installation to pull shenanigans that make it harder to remove without a full system wipe. It's still a legit vulnerability and it really does need to be fixed, but it's not the main thing you need to worry about as an end user.

5 years ago
Permalink

Comment has been collapsed.

if attacker can run arbitrary code on your PC - you're already fucked
Well, that IS a bullshit. There's a UAC against this which will warn about an elevation and in case of this vulnerability nothing will warn you.

5 years ago
Permalink

Comment has been collapsed.

Did you even read what I wrote above? Attacker DON'T NEED elevation to get to your data. So, if you run arbitrary code on your PC - you're fucked, because they can steal/encrypt/erase your data.
You can re-install windows and all programs, and it will take, I dunno, a few hours. But if your data attacked - you're fucked, loss of some data may be unrecoverable, stealing of some data can lead to serious financial or reputation damage. Your data is what really matters, and, surprise, attacker DON'T NEED elevation to get to your data, because all user data are available with user privileges, and that's exactly what arbitrary code will have by default.

5 years ago
Permalink

Comment has been collapsed.

No one needs to steal or damage data of an average John Doe. It doesn't give any profit (the only exception - script kiddies who want to feel some power). Taking control over a user's PC is a much more valuable goal.
And about "unrecoverable data" - there's such thing as a backup and thus who do not already realised this will suffer any way. Data loss due to a hardware failure or user's mistake is much more real than due to a hacker's attack.

5 years ago
Permalink

Comment has been collapsed.

Not one needs? Really? So all those malware out there is probably just by mistake?
You are partially right about backups, but:
1) How many people you know actually do this?
2) How backup will help if sensitive data stolen? (and no, escalation of privilages is not needed to steal your data)

5 years ago
Permalink

Comment has been collapsed.

No one needs, really. All those malware's primal goal is to take control over user's PC. As I said previously there's no value in the data of an average person. Only targeted attacks to some famous people could have value.
It's doesn't matter how many people actually do backups. It's just a matter of time when those who don't will realise that backups are the must. Because it is.
What kind of sensitive data you're expecting on an average PC that could do harm in case if they're stolen?

5 years ago
Permalink

Comment has been collapsed.

You have a great imagination.

5 years ago
Permalink

Comment has been collapsed.

Thanks.

5 years ago
Permalink

Comment has been collapsed.

I wonder what the tone would be here if the same news was about the Epic Game Launcher and them refusing to do anything unless a vulnerability goes public.

5 years ago
Permalink

Comment has been collapsed.

No doubt there would be more of an outcry since Epic already has a bad rap. In this instance however I'd say the culpability rests on HackerOne for refusing to acknowledge the exploit.

5 years ago
Permalink

Comment has been collapsed.

Security vulnerability in malware? That would be funny.

5 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 1 year ago.

5 years ago
Permalink

Comment has been collapsed.

"blah blah, what we expect, blah blah"? I don't know why anyone would keep hating on a service they don't use.

5 years ago
Permalink

Comment has been collapsed.

I think Steam gets a lot of leeway because it's a very solid, fully functioning platform with tons of features. It gained a lot of goodwill thorough the years. Epic, on the other hand, is barebones service stripped of the most basic features and the actions of the company itself are questionable at best, so they don't have the goodwill that Steam has.

5 years ago
Permalink

Comment has been collapsed.

I can agree with goodwill gathered, but definitely not with "very solid" or "fully functioning". Heck, we just have a thread around here about the client not installing. Its code is a mess, has always been a mess, and every day it manages to start and upload without causing massive crashes is another small miracle of mankind. Not to mention it used to be like this:

View attached image.
5 years ago
Permalink

Comment has been collapsed.

Kravets: "Hey, the house key also unlocks the liquor cabinet."
Valve: "If they already have the house key, it's not our problem:"
Kravets: "But what if the children decide to steal the booze!?"
Valve: "Raise your kids better."
Article: "HEY EVERYONE VALVE IS GIVING FREE BOOZE TO 10 YEAR OLDS!""
Valve: "Fine, we'll change the liquor cabinet lock."

If you're already running a virus on your computer, yes, this exploit can be used to make the virus worse. But if that's happening, you have a bigger problem already since there's a virus running on your PC.

5 years ago
Permalink

Comment has been collapsed.

Oh, nice analogy! I failed to find one, and your is pretty close. Thank you!

5 years ago
Permalink

Comment has been collapsed.

privilege escalation is the least security problem for normal users https://xkcd.com/1200/

View attached image.
5 years ago
Permalink

Comment has been collapsed.

Sign in through Steam to add a comment.