IS researcher Vasily Kravets published a new 0-day vulnerability in the Steam gaming client for Windows. Similarly to the bugs discovered earlier, this one allows attackers to elevate privileges on the user’s computer in order to completely take control of the machine.[dropcap]T[/dropcap]his time, Kravets did not notify Valve of his finding and immediately posted information about the vulnerability in open access: the company blocked the expert access to his program for catching bugs on the HackerOne platform.
Previously, developers have repeatedly stated that they did not consider the privilege escalation vulnerability a Steam to be problem, since an attacker would need access to a user’s computer to apply them.
The new exploit turned out to be more complicated than the previous one and requires a combination of several techniques for operation:
- Symbolic links (symlinks) – allow using one folder to redirect requests to another.
- Outgoing blocking (OpportunisticLock, unlock) – allows the program to temporarily block access to the file.
- BaitAndSwitch technique – combines the unlock and symlink in such a way that the first request to the file blocks it for other programs, and the second sends it to another object.
To use the exploit, you need to create a directory with two files Steam.exe and steamclient.dll, and also delete or rename the bin folder from the main Steam directory. As Kravets explained, this is necessary in order to take control of the client’s requests to the working library and at the right time to offer him a compromised file.
The researcher noticed that when starting Steam, the program accesses steamclient.dll six times in a row. The expert created symlinks to redirect these requests to other folders, and with the help of errors he divided the calls into two parallel flows. This allowed him to direct each operation to the directories he needed.
According to the proposed scenario, the first five queries lead the client to the desired library. The last time the program is offered a file with a payload, as a result of which it reads third-party code that provides administrator privileges to the cracker.
Kravets’ blocking on HackerOne provoked outrage among security professionals who recalled that privilege escalation vulnerabilities are among the top 10 most serious threats according to the Open Web Application Security Project, and Microsoft regularly fixes such bugs in its products.
“Of course, Valve is right in its own way – an attacker will not be able to use this vulnerability to hack a client”, – argues ZDnet expert Catalin Cimpanu. “But the fact is that when users install Steam, they don’t expect this program to become a launching pad for malware.”
Experts also pointed out that any program published in the Valve store may turn out to be a malicious agent.
“Each game can copy files to a computer, Steam administrators do not check this data”, – wrote Twitter user blakeyrat. “In addition, criminals can steal the password for the account [of some game studio] and add an exploit [to its product].”
As a result, Valve nevertheless made a concession and changed the reward policy for the bugs found. The company removed from the list of restrictions the item that removed attacks from the program using third-party files.[box]On the other hand, the new edition of the reward policy has extended it to methods that allow programs to increase their privileges through Steam, without requiring additional permissions from users. Any unauthorized modification of the game client is now also included in the program.[/box]