0-day vulnerability affects more than 100 million users

Windows client for Steam, a popular platform for digital distribution of video games, contains a zero-day vulnerability that could lead to elevated privileges in the system.

[dropcap]A[/dropcap]s a result, an attacker can run programs as administrator.

Given that the number of registered Steam users exceeds 100 million, of which several million are currently playing, this vulnerability poses a serious danger.

Matt Nelson

Matt Nelson

Two researchers, Felix and Matt Nelson, revealed information about the security problem after they were told by Valve (owned by Steam) that the vulnerability was “inappropriate.”

In other words, the corporation refused to pay experts for detecting a dangerous vulnerability in the Windows client of their platform. At the same time, Valve representatives told experts that they are not entitled to disclose information about a security hole.

Read also: 0-day-vulnerability in macOS Mojave allows applications running untested codes

It all started with the fact that Felix analyzed the operation of the Steam client service for Windows – the Steam Client Service. It launches her executable file with SYSTEM privileges on the OS. The researcher noted that the service can be stopped and started by anyone who has “User” rights in the system — that is, anyone who logs on to Windows.

The registry key associated with this service, however, was not accessible for modification to users in the User group.

Nevertheless, the expert discovered something strange. When the service started and stopped, it provided full access to the registry subkeys HKLM \ Software \ Wow6432Node \ Valve \ Steam \ Apps.

“I created a test key HKLM \ Software \ Wow6432Node \ Valve \ Steam \ Apps \ test and checked the rights to it. Here I found that HKLM \ SOFTWARE \ Wow6432Node \ Valve \ Steam has full control over the User group, and all subsections and subsections of the subsections inherit these rights. Then I created a link from HKLM \ SOFTWARE \ Wow6432Node \ Valve \ Steam \ Apps \ test to HKLM \ SOFTWARE \ test2 and restarted the service”, – writes specialists.

[box]In the end, Felix found a way to modify a service running with SYSTEM privileges so that it runs another program. This is how an attacker can elevate his system’s malware rights.

In turn, Matt Nelson published the PoC code for exploiting the vulnerability on GitHub.[/box]

About the author

Sophia Zimmerman

High-quality tech & computer security copywriter, SEO editor & online marketing consultant

Leave a Comment