View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 23, 2019

Following Public Issues Changes Come to Valve’s HackerOne Bug Bounty Program

"I want to publicly disclose the vulnerability. I hope this will bring Steam developers to make some security improvements.”

By CBR Staff Writer

The Valve Corporation, which runs Steam an online PC video game distribution platform, has made changes to the way it will interact with bug bounty hunters in the future following a number of public fallouts.

The changes come after security researcher Vasily Kravets released a proof of concept that showed a vulnerability within the Steam client for Windows that allowed privilege escalation.

Originally Valve refused to acknowledge the vulnerability stating that it was not an issue and did not need a patch. However, once security researchers proved it worked Valve were forced to patch the issue.

Now the firm has made changes to the way operates its HackerOne bug bounty program.

In a statement first sent to Ars Technica Valve commented that:

“We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.”

“Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.”

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

“We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported. In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program.”

First Rumblings in Valve’s HackerOne Bug Bounty Program

At the start of this month we reported how Vasily Kravets (aka Felix/PsiDragon) identified the privilege escalation vulnerability within the platform Steam.A privilege escalation vulnerability is a flaw in a system that allows a hacker to execute a command with administrative level privileges.

In a disclosure post Kravets notes that the vulnerability is ‘simple,’ Steam installs a ‘Steam client server’ which is used to download and install games to a user’s computer, this client has SYSTEM privileges on Windows systems.

Upon inspection Kravets noted that the service could be started and stopped by the ‘User’ or essentially anyone logged into the computer. He discovered that if you started and stopped the client it created a full write access to subkeys under the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key.

Kravets learned that any Registry Key could be modified using a symlink from a different subkey. As he wrote in his disclosure: “So, now we have a primitive to take control on almost every key in the registry, and it is easy to convert it into a complete EoP (Escalation of Privileges).

“I choose key HKLM\SYSTEM\ControlSet001\Services\msiserver that corresponds with the service “Windows Installer”, which can be started by any user, same as Steam’s service, but run program as NT AUTHORITY\SYSTEM.”

Valve’s HackerOne Bug Bounty Program“After taking control, it is only necessary to change ImagePath value of the HKLM\SYSTEM\ControlSet001\Services\msiserver key and start “Windows Installer” service. The program from ImagePath will be started as NT AUTHORITY\SYSTEM.”

“Put all things together and we get exploit that allows running any program with the highest possible rights on any Windows computer with Steam installed.”Working off the first researcher’s work, privilege escalation expert Matt Nelson created a proof-of-concept that showed how the flaw could be used to change the executable of the service as it launched when it was restarted.

The privilege escalation researcher Felix reported the vulnerability to Valve via HackerOne. He says HackerOne reviewed and confirmed the flaw and reported that they sent the vulnerability to Valve. Felix commented in his post that: “45 days have gone since the initial report, so I want to publicly disclose the vulnerability. I hope this will bring Steam developers to make some security improvements.”

Topics in this article : , , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU