Independent information security researcher Xiaoyin Liu bypassed Steam’s protection from a previously discovered vulnerability. It turned out Valve did not completely close Steam vulnerability.[dropcap]C[/dropcap]onsidering Valve’s position, which brought this bug out of its area of responsibility, the expert chose to publish an exploit without notifying the company’s specialists.
“I found a way to bypass the fix. The bypass requires dropping a file in a nonadmin-writable location, so I think it’s out-of-scope for Valve”, — wrote Xiaoyin Liu in twitter.
On August 13, IS expert Vasily Kravets reported about the problem in the game client by message. He found that due to excessive Steam client privileges, the program could make changes to the Windows registry. An attacker can take advantage of this hole to gain complete control of a computer.
Valve representatives initially refused to acknowledge the threat, indicating that the vulnerability went beyond the scope of their bug bounty program. According to the developers, they are not involved in attacks that require physical access to the user device or placing files in the system.
After a wave of indignation from information security specialists, Valve employees nevertheless eliminated the vulnerability. Experts were skeptical of the proposed measures, since the root of the problem remained – Steam still gave users the ability to edit the registry.
Professionals needed four days to create a new exploit. To use the same bug, it is enough to replace new versions of the SteamService.exe file and its libraries with earlier ones. After that, the client gives an error at startup, but the vulnerability can be exploited.
Since all Steam users have full access to the program folder, the system will not block the attempt to replace files. As a result, all manipulations can be carried out secretly from the computer administrator – this is the factor that causes the greatest fears among information security experts.
In the proposed attack scenario, for cybercriminals it is enough to install malware on their computer that can automatically replace Steam files and open access to the machine. Further, attackers will be able to download additional programs, read private data and send any commands.
The author of the report said that he did not report about his discovery to the developers, as he already had unsuccessful experience of communication with them.
[box]Journalists have not yet been able to get a comment from Steam developers.[/box]
“From my point of view, the very ability to freely edit C: \ Program Files (x86) \ Steam is already a vulnerability,” Liu said. “I wrote about this to Valve in February 2017, but in response I received only gratitude for the appeal.”