A whitehat has discovered what he claims is a zero-day privilege vulnerability in the world’s largest PC video game distributor that affects over 100 million users.
Security researcher “Felix” identified the privilege escalation vulnerability within the platform Steam, an online PC video game distribution platform owned by the Valve Corporation. A privilege escalation vulnerability is a flaw in a system that allows a hacker to execute a command with administrative level privileges.
In a disclosure post Felix notes that the vulnerability is ‘simple,’ Steam installs a ‘Steam client server’ which is used to download and install games to a user’s computer, this client has SYSTEM privileges on Windows systems.
Upon inspection Felix noted that the service could be started and stopped by the ‘User’ or essentially anyone logged into the computer. He discovered that if you started and stopped the client it created a full write access to subkeys under the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key.
Felix learned that any Registry Key could be modified using a symlink from a different subkey. As he wrote in his disclosure: “So, now we have a primitive to take control on almost every key in the registry, and it is easy to convert it into a complete EoP (Escalation of Privileges).
“I choose key HKLM\SYSTEM\ControlSet001\Services\msiserver that corresponds with the service “Windows Installer”, which can be started by any user, same as Steam’s service, but run program as NT AUTHORITY\SYSTEM.”
“After taking control, it is only necessary to change ImagePath value of the HKLM\SYSTEM\ControlSet001\Services\msiserver key and start “Windows Installer” service. The program from ImagePath will be started as NT AUTHORITY\SYSTEM.”
“Put all things together and we get exploit that allows running any program with the highest possible rights on any Windows computer with Steam installed.”
Working off the first researcher’s work, privilege escalation expert Matt Nelson created a proof-of-concept that showed how the flaw could be used to change the executable of the service as it launched when it was restarted.
The privilege escalation researcher Felix reported the vulnerability to Valve via HackerOne. He says HackerOne reviewed and confirmed the flaw and reported that they sent the vulnerability to Valve. Felix commented in his post that: “45 days have gone since the initial report, so I want to publicly disclose the vulnerability. I hope this will bring Steam developers to make some security improvements.”
Computer Business Review contacted Valve for comment but has yet to receive a response.