Steam Zero-Day Vulnerability Affects Over 100 Million Users

ZMsiXone · Aug 8, 2019

https://www.bleepingcomputer.com/ne...vulnerability-affects-over-100-million-users/

The popular Steam game client for Windows has a zero-day privilege escalation vulnerability that can allow an attacker with limited permissions to run a program as an administrator

Privilege escalation vulnerabilities are bugs that enable a user with limited rights to launch an executable with elevated, or administrative privileges. As Steam has over 100 million registered users and millions of them playing at a time, this is a serious risk that could be abused by malware to perform a variety of unwanted activities.
Click to expand...

Minimalist · Aug 9, 2019

Researcher Finds Steam 0Day Exploit, Valve Ignores It, Exploit Becomes Public

A 0day vulnerability was identified in the Steam Windows Client by Vasily Kravets, a security researcher, but was utterly ignored by Valve. The researcher then published all the details about the exploit.
Click to expand...

https://news.softpedia.com/news/res...gnores-it-exploit-becomes-public-527012.shtml

xxJackxx · Aug 9, 2019

This was a lazy mistake and not fixing it is another. They need to fix this sooner than later.

Minimalist · Aug 10, 2019

Valve fixes zero-day exploit for Steam in latest beta

Valve has fixed a zero-day exploit in the latest Steam beta, released earlier today, that could potentially be used to mount an escalation of privilege attack. Interestingly, this was after much public outcry by the security researchers who found the bug about Steam's refusal to acknowledge their work.
Click to expand...

https://www.neowin.net/news/valve-fixes-zero-day-exploit-for-steam-in-latest-beta

Rasheed187 · Aug 10, 2019

Another reason to hate this Steam garbage.

roger_m · Aug 10, 2019

Rasheed187 said: ↑

Another reason to hate this Steam garbage.
Click to expand...

I know you hate Steam and this vulnerability was an issue, but I think Steam is awesome. Once you install the Steam client on a computer, you have access to your entire library of games you have purchased through Steam. You can just click on a game you want to play and then click on Install and it will download and install it for you. It's really handy having access to multiple games from one place and not having to visit websites to download the installers.

guest · Aug 12, 2019

Steam Security Vulnerabilities Fixed, Researchers Don't Agree
August 12, 2019
https://www.bleepingcomputer.com/ne...vulnerabilities-fixed-researchers-dont-agree/

Valve has pushed out a fix for a zero-day Steam Client local privilege escalation (LPE) vulnerability, but researchers say there are still other LPE vulnerabilities that are being ignored.
Fix is not enough
While Valve may have fixed this one particular vulnerability in the "Steam Client Service", researchers still say that there is a big gaping hole that was reported a long time ago and that can still be abused by attackers and malware to elevate their privileges.
Vulnerability researcher and 0Patch co-founder Mitja Kolsekboth told BleepingComputer that the "Steam Client Service" could still be used to elevate a user's privileges through the DLL hijacking.
Click to expand...

guest · Aug 16, 2019

Steam Security Saga Continues with Vulnerability Fix Bypass
August 16, 2019
https://www.bleepingcomputer.com/ne...saga-continues-with-vulnerability-fix-bypass/

In the current version of the Steam Client, Valve fixed the flaw that allowed users to gain permissions to Registry keys they would not normally have access.
Liu discovered though that he could exploit the vulnerability again by simply replacing the C:\Program Files (x86)\Steam\bin\SteamService.exe and C:\Program Files (x86)\Steam\bin\SteamService.dll files with older vulnerable versions and restarting the "Steam Client Service". Once restarted, it would immediately exit with an error 1051, but the vulnerability would still have been exploited.

You may be wondering how a low level user could replace files located under the C:\Program Files (x86) folder, when those folders normally require elevated privileges? If you remember, we mentioned that for some reason Steam gives the "USERS" group full permission to that folder and thus anyone can replace those files.
This means that an attacker could bundle the old versions of these two files in their malware, and once executed, replace the files to launch the exploit and gain elevated privileges on the Windows machine.

"[...] I don't think they are interested in fixing this one. In my opinion, even allowing all users to have write access to C:\Program Files (x86)\Steam itself is a vulnerability, [...] I reported this to Valve in Feb 2017, and I got no reply except an acknowledgement of receipt.
Click to expand...

Rasheed187 · Aug 17, 2019

roger_m said: ↑

I know you hate Steam and this vulnerability was an issue, but I think Steam is awesome. Once you install the Steam client on a computer, you have access to your entire library of games you have purchased through Steam.
Click to expand...

It also has got advantages of course. But I just don't like it in general, I think it's riduculous that it loads in the background, even if the game is installed from DVD.

Minimalist · Aug 18, 2019

Steam Accounts Being Stolen Through Elaborate Free Game Scam

An elaborate scam is underway that pretends to be a free game giveaway site, but instead hacks a user's Steam account, takes control over it, and then incorporates the new victim into their attack by targeting other players.

The scam works by attackers hacking into Steam accounts and sending messages to the victim's friends that they can get a free Steam game by going to a site and entering a promo code.
Click to expand...

https://www.bleepingcomputer.com/ne...eing-stolen-through-elaborate-free-game-scam/

Be_Ta · Aug 18, 2019

would it help to sandbox some parts of steam? or something similar?

just wondering about it and trying to think of a workaround etc...

cheers

guest · Aug 21, 2019

Researcher publishes second Steam zero day after getting banned on Valve's bug bounty program
Valve gets heavily criticized for mishandling a crucial bug report
August 21, 2019
https://www.zdnet.com/article/resea...-getting-banned-on-valves-bug-bounty-program/

A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks.

However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn't do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform.
VALVE GETS CRITICIZED
All the negative comments have been aimed at Valve and the HackerOne staff, with both being acused of unprofessional behavior.
SECOND STEAM ZERO-DAY DISCLOSED TODAY
Today, Kravets published details about a second Valve zero-day, which is another EoP/LPE in the Steam client, allowing malicious apps to gain admin rights through Valve's Steam app. Demos of the second Steam zero-day are embedded below, and a technical write-up is available on Kravets' site.
Click to expand...

B-boy/StyLe/ · Aug 22, 2019

Mine just got a beta update:

[-]Steam Client Beta - August 21

The Steam Client Beta has been updated with the following change:

General

Fixes for local-privilege-escalation vulnerabilities.

Minimalist · Aug 22, 2019

Valve (but not HackerOne) makes amends after raising the ire of white hats

In an attempt to quell a controversy that has raised the ire of white-hat hackers, the maker of the Steam online game platform said on Thursday it made a mistake when it turned away a researcher who recently reported two separate vulnerabilities.

In its statement, Valve Corporation references HackerOne, the reporting service that helps thousands of companies receive and respond to vulnerabilities in their software or hardware.
Click to expand...

https://arstechnica.com/information...-reporting-steam-vulnerability-was-a-mistake/

guest · Aug 22, 2019

Steam Patches LPE Vulnerabilities in Beta Version Update
August 22, 2019
https://www.bleepingcomputer.com/ne...s-lpe-vulnerabilities-in-beta-version-update/

Almost 48 hours after security researcher Vasily Kravets (PsiDragon) released his proof of concept (PoC) for a second vulnerability in Steam client for Windows leading to privilege escalation, Valve released a beta update that allegedly fixes the bugs.
What's next?
It remains to be seen how effective this new patch will be against the vulnerabilities, as Kravets tweeted that he would be waiting until the patch was released to the main client before testing.
In response to our previous inquiries, Valve's director of marketing Doug Lombardi sent BleepingComputer the following official statement:

"[...] We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.

Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam. [...]"
It remains to be seen if Kravets will be unbanned from Valve's HackerOne program and compensated for his discoveries.
Click to expand...

B-boy/StyLe/ · Aug 22, 2019

I noticed the following in the EventViewer after restart:

Warning: SteamService: Revalidate: C:\Program Files (x86)\Common Files\Steam\SteamService.dll.new

Maybe they added some kind of internal check on every reboot?

B-boy/StyLe/ · Aug 29, 2019

A new update:

Steam Client Beta - August 28
The Steam Client Beta has been updated with the following changes:

General
Fix Steam service vulnerability that allowed appending data to system-owned files
Remove Steam service log message being written to Windows event log on service startup

It seems the second change is the one I reported in my previous post.

B-boy/StyLe/ · Sep 4, 2019

A new beta update:

Steam Client Beta - September 3

The Steam Client Beta has been updated with the following changes

General

Enable search for localized game names in the Steam library

The text entry area in the chat window now expands if you are typing long messages

Windows

Fix privilege escalation vulnerability in Steam client service

Log in or Sign up

Steam Zero-Day Vulnerability Affects Over 100 Million Users

ZMsiXone Registered Member

Minimalist Registered Member

xxJackxx Registered Member

Minimalist Registered Member

Rasheed187 Registered Member

roger_m Registered Member

guest Guest

guest Guest

Rasheed187 Registered Member

Minimalist Registered Member

Be_Ta Registered Member

guest Guest

B-boy/StyLe/ Registered Member

Minimalist Registered Member

guest Guest

B-boy/StyLe/ Registered Member

B-boy/StyLe/ Registered Member

B-boy/StyLe/ Registered Member

Log in or Sign up

Steam Zero-Day Vulnerability Affects Over 100 Million Users

ZMsiXone Registered Member

Minimalist Registered Member

xxJackxx Registered Member

Minimalist Registered Member

Rasheed187 Registered Member

roger_m Registered Member

guest Guest

guest Guest

Rasheed187 Registered Member

Minimalist Registered Member

Be_Ta Registered Member

guest Guest

B-boy/StyLe/ Registered Member

Minimalist Registered Member

guest Guest

B-boy/StyLe/ Registered Member

B-boy/StyLe/ Registered Member

B-boy/StyLe/ Registered Member

Useful Searches