More than 100 million Steam clients and users are at risk of serious cybersecurity risk as an unpatched zero-day privilege escalation vulnerability can allow attackers to run a remote program even with limited permission as an administrator.
Privilege escalation vulnerabilities are serious risks as they are bugs that can be exploited by malware to perform a variety of activities as it allows attackers to with limited rights to launch an executable program with elevated, or administrative privileges. The fact the zero-day affects more than 100 million registered of Steam, a popular gaming platform, as millions of them are playing at a time.
The zero-day vulnerability was discovered by two cybersecurity researchers who publicly disclosed the flaw after Valve, the company behind Steam, determined that the vulnerability was “Not Applicable” to their platform. Worse, the company refused to grant the researchers with their well-deserved bounties for discovering the vulnerabilities and showed no indication that the company would fix the problem. And even worse, Valve told the researchers to not publicly disclose their findings, a request that they apparently did not grant.
One of the cybersecurity experts who discovered the vulnerability, Felix, detailed in a report published yesterday that he found out about the flaw as he was analyzing a Windows service associated with the Steam called “Steam Client Service” that launched its executable with SYSTEM privileges on Windows.
He further noticed that the service could be controlled, started, and stopped, by the “User Group,” which is basically everyone that is connected to the network. The only hurdle was that the User Group does not have the ability to write in the service’s registry key, a safety mechanism set up by the software to prevent anyone without administrative control and privileges from modifying anything or launching any executable in the system.
However, Felix said that he found something that boggles his mind as he finds it “strange.” When the service was started and stopped, it gave full write access to the subkeys under the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key.
“I created test key HKLM\Software\Wow6432Node\Valve\Steam\Apps\test and restarted the service (Procmon’s log is above) and checked registry key permissions. Here I found that HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit “Full control” for “Users” group, and these permissions inherit for all subkeys and their subkeys. I assumed that RegSetKeySecurity sets the same rights, and something interesting would happen if there were a symlink. I created a link from HKLM\SOFTWARE\Wow6432Node\Valve\Steam\Apps\test to HKLM\SOFTWARE\test2 and restarted the service,” Felix said in the report.
In order to test his suspicions, the cybersecurity researcher tried to configure a symlink from one of these subkeys to another key for which he did not have sufficient permissions and saw that it was possible to modify that key as well. Because of this discovery, the researcher realized that Registry key could be modified by creating a symlink to it from a subkey under HKLM\Software\Wow6432Node\Valve\Steam\Apps.
According to the researcher, the modification he discovered could allow SYSTEM privileges to be modified in order to launch a new program with a higher level of privileges.
“So, now we have a primitive to take control of almost every key in the registry, and it is easy to convert it into a complete EoP (Escalation of Privileges). I choose key HKLM\SYSTEM\ControlSet001\Services\msiserver that corresponds with the service “Windows Installer,” which can be started by any user, same as Steam’s service but the run program as NT AUTHORITY\SYSTEM. After taking control, it is only necessary to change the ImagePath value of the HKLM\SYSTEM\ControlSet001\Services\msiserver key and start the “Windows Installer” service. The program from ImagePath will be started as NT AUTHORITY\SYSTEM,” the researcher said.
“Put all things together, and we get to exploit that allows running any program with the highest possible rights on any Windows computer with Steam installed,” he added.
In his effort to get the vulnerability patched, Felix disclosed his findings to Valve in order to protect the users of the software. Unexpectedly, he was met with obstacles as the company said that what he discovered was “not applicable” because “Attacks that require the ability to drop files in arbitrary locations on the user’s filesystem” and “Attacks that require physical access to the user’s device.”
Felix said that it was since 45 days since he told the company about the problem and the flaw is yet to be patched, so he decided to disclose what he discovered publicly.
“45 days have gone since the initial report, so I want to publicly disclose the vulnerability. I hope this will bring Steam developers to make some security improvements,” he wrote.