View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

This Valve 0Day Could Affect 100 Million Gamers

"I hope this will bring Steam developers to make some security improvements.”

By CBR Staff Writer

A whitehat has discovered what he claims is a zero-day privilege vulnerability in the world’s largest PC video game distributor that affects over 100 million users.

Security researcher “Felix” identified the privilege escalation vulnerability within the platform Steam, an online PC video game distribution platform owned by the Valve Corporation. A privilege escalation vulnerability is a flaw in a system that allows a hacker to execute a command with administrative level privileges.

In a disclosure post Felix notes that the vulnerability is ‘simple,’ Steam installs a ‘Steam client server’ which is used to download and install games to a user’s computer, this client has SYSTEM privileges on Windows systems.

Valve Zero-Day

Upon inspection Felix noted that the service could be started and stopped by the ‘User’ or essentially anyone logged into the computer. He discovered that if you started and stopped the client it created a full write access to subkeys under the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key.

Felix learned that any Registry Key could be modified using a symlink from a different subkey. As he wrote in his disclosure: “So, now we have a primitive to take control on almost every key in the registry, and it is easy to convert it into a complete EoP (Escalation of Privileges).

“I choose key HKLM\SYSTEM\ControlSet001\Services\msiserver that corresponds with the service “Windows Installer”, which can be started by any user, same as Steam’s service, but run program as NT AUTHORITY\SYSTEM.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

“After taking control, it is only necessary to change ImagePath value of the HKLM\SYSTEM\ControlSet001\Services\msiserver key and start “Windows Installer” service. The program from ImagePath will be started as NT AUTHORITY\SYSTEM.”

“Put all things together and we get exploit that allows running any program with the highest possible rights on any Windows computer with Steam installed.”

Working off the first researcher’s work, privilege escalation expert Matt Nelson created a proof-of-concept that showed how the flaw could be used to change the executable of the service as it launched when it was restarted.

The privilege escalation researcher Felix reported the vulnerability to Valve via HackerOne. He says HackerOne reviewed and confirmed the flaw and reported that they sent the vulnerability to Valve. Felix commented in his post that: “45 days have gone since the initial report, so I want to publicly disclose the vulnerability. I hope this will bring Steam developers to make some security improvements.”

Computer Business Review contacted Valve for comment but has yet to receive a response.

Read More: NHS Data: A £9.6 Billion Treasure Trove?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU