Windows client for Steam, a popular platform for digital distribution of video games, contains a zero-day vulnerability that could lead to elevated privileges in the system.[dropcap]A[/dropcap]s a result, an attacker can run programs as administrator.
Given that the number of registered Steam users exceeds 100 million, of which several million are currently playing, this vulnerability poses a serious danger.
In other words, the corporation refused to pay experts for detecting a dangerous vulnerability in the Windows client of their platform. At the same time, Valve representatives told experts that they are not entitled to disclose information about a security hole.
It all started with the fact that Felix analyzed the operation of the Steam client service for Windows – the Steam Client Service. It launches her executable file with SYSTEM privileges on the OS. The researcher noted that the service can be stopped and started by anyone who has “User” rights in the system — that is, anyone who logs on to Windows.
The registry key associated with this service, however, was not accessible for modification to users in the User group.
Nevertheless, the expert discovered something strange. When the service started and stopped, it provided full access to the registry subkeys HKLM \ Software \ Wow6432Node \ Valve \ Steam \ Apps.
[box]In the end, Felix found a way to modify a service running with SYSTEM privileges so that it runs another program. This is how an attacker can elevate his system’s malware rights.
“I created a test key HKLM \ Software \ Wow6432Node \ Valve \ Steam \ Apps \ test and checked the rights to it. Here I found that HKLM \ SOFTWARE \ Wow6432Node \ Valve \ Steam has full control over the User group, and all subsections and subsections of the subsections inherit these rights. Then I created a link from HKLM \ SOFTWARE \ Wow6432Node \ Valve \ Steam \ Apps \ test to HKLM \ SOFTWARE \ test2 and restarted the service”, – writes specialists.
In turn, Matt Nelson published the PoC code for exploiting the vulnerability on GitHub.[/box]