
Steam Windows Client Local Privilege Escalation 0day - codedokode
https://amonitoring.ru/article/steamclient-0day/
======
marcinzm
>Moreover, they didn't want me to disclose the vulnerability. At the same
time, there was not even a single word from Valve. No, guys, that's not how it
works. You didn’t respect my work, and that's the reason why I won’t respect
yours — I see no reason why I shouldn't publish this report. Most likely I’ll
be banned at H1 because of it, but it won't make me upset.

This seems pretty scammy of HackerOne and does nothing but hurt security.
Either something is an issue and should be paid for, or it's not an issue and
disclosure is fine. They're trying to have it both ways and trying to strong
arm researchers into keeping quiet.

~~~
SpicyLemonZest
I think there's a fair question to ask here: is HackerOne a bug bounty program
that offers security consulting services, or a security consulting service
that's implemented as crowdsourced bug bounties? If I hire a normal security
consultant, and she finds an issue in my product that I don't agree is a real
vulnerability, it's absolutely not fine for her to go write a public article
about it.

~~~
Draiken
Serious question: why?

Unless the company is lying and it IS a real vulnerability, writing an article
about it seems harmless to me.

OFC that if I planned on writing an article I'd be open about it beforehand,
but that feels like a courtesy and not an obligation unless an NDA is
involved.

Disclaimer: I don't work in security so this is purely curiosity.

~~~
SpicyLemonZest
It'd be like writing public articles attacking your company's accounting
practices. Sometimes things are so bad it's fair to blow the whistle, but it
creates nasty incentives if companies can't perform private security
investigations without risking a public shaming over the results.

~~~
gtirloni
These people are not employees. They don't agree to amounts before starting
the work. They don't make promises. Nothing! I don't see how someone
publishing something in that situation is a problem.

Like OP wrote in this thread, it either is a vulnerability or it's not. In the
latter case, just assume it's the cost of doing business and people will write
"bad" things about your product?

------
dx87
I'm not suprised at the response they got when they reported the
vulnerability. Somebody reported an XSS vulnerability in the Dota 2 UI, and
they wouldn't fix it. So (probably the reporter) created a worm in the client
that spread through your friends list in game and defaced the client. People
also found out you could crash the client by using the XSS to download very
large images. There was no way to protect yourself either, because messages
from friends are automatically displayed with no user interaction.

~~~
jerf
I like to say "The capabilities of attackers are not bounded by your
imagination."

It is possible to get a "security bug" that is technically a security bug, but
still isn't really all that important. But you generally want to be very
careful in making that assessment, because just because one particular person,
even someone fairly skilled in security, doesn't think it can be used to do
anything truly harmful doesn't mean that the attackers won't figure something
out.

XSS has been a particular rich source of this; it's very easy for someone not
too up on security to say "Oh, whoopdedo, it lets you pop up an alert box or
change the client side display", when in fact XSS can steal login cookies if
you haven't properly secured them (which seems likely to correlate highly with
people who don't think XSS is a big problem) and be used to proxy web
connections to other resources in the context of the user, conforming to the
same-origin policy [1]. So, for instance, with the recent story about a guy
finding an XSS in Tesla's service management page, they were correct to
respond to that as a serious issue; it wasn't just a way of moderately
inconveniencing a service tech, it was a back door into their entire service
system, potentially. XSS has a huge mismatch between the general developer's
impression of its severity and its actual severity.

[1]:
[https://github.com/beefproject/beef/wiki/Tunneling](https://github.com/beefproject/beef/wiki/Tunneling)

~~~
SOLAR_FIELDS
I think the Tesla example you gave serves your point particularly well,
because the researcher himself didn’t even know that there was a vulnerability
until several weeks after he had placed a probe and someone in Tesla accessed
an internal page.

------
Benjamin_Dobell
I also had a look at Valve's HackerOne policies recently and was unimpressed
for a variety of reasons:

\- The "Exclusions" are _very_ poorly defined:

 _Valve will have the right to determine CVSS classification, report validity,
duplications, exclusions and out-of-scope bugs in its sole discretion._

\- What's "In Scope" is _extremely_ vague. Yes, it's a list of domains,
however Steam uses way more domains than that. Even then, not everything is
tied to a "domain" as such, for instance Steam provides P2P networking.
Executables are indeed mentioned, but again, it's vague.

\- Payouts seem low.

The HackerOne profile is something I would expect of (and would be acceptable
for) a 10 person company, not a massive corporation with millions of users.

~~~
monster99
Steam was essentially a small company in 2004, in fact they grew too fast for
their own good. Let us remember until the steam patch nobody wanted in 2004,
valve had only released half-life and a few other odds and ends, until half-
life 2 in 2004. Where steam began the long process of stealing game files from
PC gamers and calling it drm.

The whole process which began back in the late 90's with Ultima online in a
bid to get people to pay monthly for the same computer role playing games by
rebadging PC RPG's mmo's.

So everyone with a clue about gaming history should know valve only seems
"big" because the internet enabled gave them first mover advantage when they
wrapped the steam store around half-life 2 in the mid 2000's, over the next
5-6 years that would make valve a tonne of money as AAA games released on
steam until uplay and origin showed up later.

Let us remember the reason we have storefronts for every company is because
the internet enabled companies to steal PC games out from gamers via server
locking games to their companies PC's. Now we're even seeing basic game
functions held back and sold for microtransaction money.

~~~
jtms
While I somewhat understand and relate to your overall point, Ultima Online
and other MMOs that followed were not simply a “rebadging” of previous RPGs -
they were a fundamentally new genre that created some of the most important
and impressive leaps forward in multiplayer gaming. Even though some companies
are using gamer hostile practices such as micro transactions now, the
implication that all online gaming was one big conspiracy to “steal PC games
out from gamers” is utter nonsense.

~~~
monster99
No it isn't, there is no reason for any piece of software to be split between
your computer and another company.

If you buy the argument, you obviously never gamed during the 90's during the
heyday of level editors, free maps and mods over IPX emulators like Kali and
kahn.

It's not utter nonsense, DRM is literally taking files of the game hostage. Go
load up overwatch and disable the network card, Go load up quake 3 or Unreal
tournament 2004.

You can still play Quake 3 and UT2004, you'll notice a big fat error in
overwatch because it is logging you into a server required for it to function.

Go get never winter nights released in 2002, compared against the "f2p" (aka
stolen rpg rebadged an f2p mmo during develpment).

[https://store.steampowered.com/app/704450/Neverwinter_Nights...](https://store.steampowered.com/app/704450/Neverwinter_Nights_Enhanced_Edition/)

The original neverwinters had game tools and you could run your own server, vs
neverwinter the "f2p mmo" version (aka moniker for the game moving to server
locked game).

[https://store.steampowered.com/app/109600/Neverwinter/](https://store.steampowered.com/app/109600/Neverwinter/)

Any gamer in the 90's was expecting more dedicated servers, level editing
tools with PC games.

Leauge of legends and DOTA 2 would have been fully single player RTS games
with multiplayer.

So no you and anyone who believes like you is willfully ignorant that we now
live in a PC game dystopia. Whereas before League of legends and DOTA 2 would
have been coded like Quake 3, Unreal tournament 2004, and warcraft 3, you own
the game and can play it multiplayer if necessary without a third party.

Diablo 2 we owned it --> Diablo 3 blizzard owns it and can now shut it down

Quake 3 we owned it --> Quake champions bethesda owns it and can shut it down.

So no, we've gone backwards in time to mainframe and dumb client model of
computing because of the average gamer being computer illiterate and not
seeing the writing on the wall.

So no they were not fundamentally a new "genre" that was what marketing and PR
flackeys hoped people like you would buy. Note that private servers prove you
incorrect, aka that there exist private servers for Ultima online and World of
warcraft, demonstrate tehy would have just been Role playing games with shards
players controlled, there was no need for companies to conrol them or the
monthly fee.

Overwatch is a case in point that you are incorrect, since it's just a
multiplayer fps, why is there no level editors, tools, open file specs and
GTKRadiant? OH yeah thats right they wanted to lock down the code from a
server in their office to resell skins that are sitting on encrypted files
already on your machine setting a programming flag to display, when you've
"earned" them via the stupid leveling system or gambled for them using their
lootbox system.

~~~
ThrowawayR2
> *No it isn't, there is no reason for any piece of software to be split
> between your computer and another company. ... You can still play Quake 3
> and UT2004, you'll notice a big fat error in overwatch because it is logging
> you into a server required for it to function."

There is a reason and it's a darned good one: piracy. It was well discussed on
professional game development sites in the '90s and '00s; building a online
game or game with a large online component meant that it was immune to being
pirated.

~~~
Crinus
> There is a reason and it's a darned good one: piracy.

This is not a good reason at all, especially from the consumer's perspective.

~~~
dleslie
Game development is a risky and often thankless undertaking as it is, that the
developers sought profit in the face of widespread IP theft is neither immoral
nor unsurprising.

~~~
Crinus
> often thankless undertaking

Why would i "thank" someone that puts unnecessary restrictions on how i can
use the program i paid them money for?

> neither immoral

I see it as very immoral to deny me access and control to the software i paid
for, especially when that happens because the developer treating me in a
guilty-by-default way for something they have no idea if i'll do or not.

~~~
dleslie
You paid for access to a client and limited term access to the services it
requires. If that's not acceptable to you then _do not purchase it_.

It's a game. No one is forcing you to play it.

~~~
Dylan16807
> If that's not acceptable to you then _do not purchase it_.

> No one is forcing you to play it.

That has nothing to do with whether the product is moral.

------
Crinus
I wouldn't be surprised if this is for backwards compatibility with older
games (the linked twitter "exploit" is certainly due to many games writing
files in their own folders) and avoiding the need to show the UAC prompt when
installing dependencies (VC++ runtimes, etc) in many newer games - especially
if you take into consideration Steam's Big Picture mode and that it needs to
be usable with a controller (though perhaps the Steam Controller can also
function as a regular desktop mouse, assuming it doesn't rely on Steam itself
to move the cursor around - which may not work when the UAC prompt is shown -
and on the other hand some older games _do_ need to run as Administrator
and/or a compatibility mode that shows a UAC prompt, so perhaps SC can work
with that).

BTW...

> Are you sure that a free game made of garbage by an unknown developer will
> behave honestly? Do you believe that for a 90% discount you will not get a
> hidden miner?

...beyond this being FUD, games do not need to run with Adminstrator
privileges to put hidden miners and even if they did, all they'll need to do
is simply... show the UAC prompt. So many things show it that people will
accept it anyway, especially when they're trying to start a game. But more
importantly, such a game will be removed instantly from Steam and thus wont
spread much while the developer could be sued (before publishing anything on
Steam you have to give them your full details) making the entire endeavor not
worth the effort.

Though of course this issue can be taken advantage of outside of Steam.

~~~
Nullabillity
> especially if you take into consideration Steam's Big Picture mode and that
> it needs to be usable with a controller (though perhaps the Steam Controller
> can also function as a regular desktop mouse, assuming it doesn't rely on
> Steam itself to move the cursor around - which may not work when the UAC
> prompt is shown - and on the other hand some older games do need to run as
> Administrator and/or a compatibility mode that shows a UAC prompt, so
> perhaps SC can work with that).

The Steam Controller has a "lizard mode" for when it can't connect to Steam
where it just acts as a dumb mouse. I have no idea whether it enables that for
UAC prompts, but it probably could.

~~~
DCoder
I just checked, and yes, you can use Steam Controller to get through UAC
prompts. The joystick mimics the arrow keys, the right trackpad moves the
mouse cursor, the trigger buttons represent mouse clicks, and A is Enter.

~~~
yrro
How does Steam capture the secure desktop that displays the UAC prompt?

~~~
DCoder
It doesn't. The controller simply acts as a mouse/minimal keyboard outside
Steam.

~~~
yrro
So if you're using Steam streaming and the session switches to the secure
desktop due to a UAC prompt, what happens... does the screen just go blank (a
la VNC), leaving the remote user locked out?

~~~
jandrese
Steam streaming always manages to feel half baked to me for reasons like this.
Another is that it needs to unlock your screen before it can be used. So you
either leave your computer unlocked, or you need to VNC into it to unlock the
screen so Steam streaming works.

Every time I do that I think there must be a better way.

~~~
Faark
Yeah, i often control my machine via RDP and then streaming a game from there
is a pain. Here is some script I've found to unlock the local pc,
disconnecting RDP in the process:

> @powershell -NoProfile -ExecutionPolicy unrestricted -Command
> "$sessionid=((quser $env:USERNAME | select -Skip 1) -split '\s+')[2]; tscon
> $sessionid /dest:console" 2> UnlockErrors.logpp

I've not used it often and mostly given up on Steams streaming stuff. Playing
simple stuff though RDP directly usually works well enough for the few times I
still did that. Notably pretty much all games launch flawlessly. The drawback
is it not being optimized for games, offering a notably worse performance on
that front.

------
omgtehlion
There is more blatant violation:

1\. Log on as non-admin on a box with steam 2\. Do not start steam or any game
3\. cat %system32%\calc.exe > %programfiles%\steam\bin\steamservice.exe 4\.
Reboot 5\. Log on, start steam 6\. BAM! Now you have calc.exe (attempted to)
run as System with highest local priveleges

~~~
AnIdiotOnTheNet
> 3\. cat %system32%\calc.exe > %programfiles%\steam\bin\steamservice.exe

This requires elevation.

~~~
dtech
On my machine, the Steam folder is writable by the Users group.

I didn't modify anything so I assume Steam set it that way.

~~~
AnIdiotOnTheNet
If true, then I stand corrected.

However, I'll point out that one hardly needs administrator access to, say,
encrypt your documents and install a crypto miner. The whole idea that gaining
administrator privileges through local escalation on a personal desktop is A
Big Deal(TM) is silly.

~~~
0xDEFC0DE
>The whole idea that gaining administrator privileges through local escalation
on a personal desktop is A Big Deal(TM) is silly.

I’ve seen steam on work computers. This isn’t limited to home desktop users by
any stretch. People install steam because they don’t know it puts their work
computers at risk.

You could argue that they shouldn’t have games on a work PC (some companies
are a bit more lax and even play together) and an easy way to convince them to
not do that is if you point out that Steam makes your system less secure _by
design_.

~~~
wruza
>shouldn’t have games on a work PC

Steam also sells design tools and complete sdks. Idk if it is a common way to
install them though.

~~~
AnIdiotOnTheNet
This attack would require that you are A) Installing something you don't
actually need for work, or B) Whatever you need for work is infected anyway.

~~~
shawnz
No it doesn't. The attack does not require you to install a compromised game
like 0xDEFC0DE was suggesting in the other thread. Obviously if you install a
compromised game then no other attack is necessary.

~~~
0xDEFC0DE
FTR the problem is steam and the game doesn’t matter. I wasn’t suggesting
individual games needed to be installed and steam alone is enough for this
compromise

------
argd678
Steam also stores your credentials world readable on the file system, I
reported it I think in 2016 and they just said it was a limitation. I know
Epic Games takes security more seriously than Valve at least.

~~~
Bjartr
As I understand it, there's no way to have the feature of "remember me" on the
login box allow skipping 2FA without this. Anywhere they could put it while
still allowing a no interaction login would be just as vulnerable.

The primary way of attack was to trick a steam user into either uploading the
token file directly, or trick the user into running an executable that
uploaded it silently. If you're already tricking the user into running an
executable you design, there's not much left that can be done to stop this
since such an executable could reach inside the running steam process and read
whatever data it likes.

~~~
gravypod
Signed and public-key-encrypred tokens

~~~
WorldMaker
Plus, use Windows' Protected Storage Subsystem (which has been around forever)
to at least lock the tokens to a specific Windows account/user. No need for a
machine-wide readable file even if the tokens were signed and encrypted.

------
shawnz
I am glad someone is finally paying some attention to the multiuser security
of Steam. The fact that it makes its whole program directory world-writable is
ridiculous. I really hope these bugs get corrected because as it is, Steam
cannot be safely used in multiuser environments.

~~~
jandrese
Valve in general seems to be vague on the entire concept of multi-user. They
have a family plan where you can share your library with your family, but with
the limitation that only one member of the family can be playing a game at
once.

Even if you are trying to play two different games Steam will try to kick one
of the players off. It seems like they think a "family" is a family of
computers that one single person might want to access. I get that they might
be concerned that someone sets up a Steam account for their entire floor of
the dormitory or something, but wouldn't a sensible limit be more like 5
instead of 1, with the additional limitation of only one copy of a particular
game at once? Plus the ability to buy multiple copies of a game for a single
library if you want? Netflix, Amazon Prime Video, Hulu, etc... all figured
this out, why can't Valve?

~~~
thw0rted
I agree that Family Sharing could be less restrictive but it's not quite as
bad as you describe. You're already limited to the number of "Family" accounts
on a single system, and I believe also to the number of systems where a given
account can be "Family enabled". I also hasten to point out that it's arguably
the least restrictive sharing system of any digital storefront on PC or any
console.

Also, you can buy licenses for a game on more than one account. If sharing is
enabled for accounts A, B, and C on a set of computers, C can use a license
from A or B, if both own the game. The trick is that it tries to use the
license of the person who enabled sharing most recently. So if A enables
sharing, then B, but B is currently playing a game, it won't let C play a game
that both A and B own. You can log in as B and disable sharing, then it will
work. Alternately, there are tools to fix this automatically by editing config
files -- and in retrospect, they probably work because of the security flaws
mentioned in an earlier thread...

------
als0
I agree the situation with Steam is not good on Windows. It’s already in a
very privileged position because it can take full control of the screen with
overlays, access controllers, and silently install games, all without the user
ever seeing a single UAC prompt. I doubt those functional aspects will change
in future.

I’m glad the issues are getting more attention and hope Valve finds effective
ways to harden their client. This is needed despite the walled garden they
have.

------
o-__-o
Steam allows you to stream games from other network PCs. I found it
interesting that you could stream games and sometimes glitch out of the game
but still keep full control of the desktop. Odd, because steam makes a
wonderful RDP-like client. Concerning, because i never entered my password for
that computer.

I turned off remote streaming after that happened. Author of this paper is
right for disclosing

~~~
pjc50
You do have to log into Steam with the same account on both PCs, don't you?

Personally I find it annoying that it doesn't have a fallback whole-desktop
mode, since some game launchers (eg Minecraft) interact very badly with Steam
streaming, and Microsoft insist on turning RDP off on consumer editions. You
can fake it by installing Notepad as a "third party game", but it's not
entirely reliable.

I ended up using Nvidia+Moonlight to stream Minecraft.

~~~
ThatPlayer
The behavior seems to vary between the PC Steam program and the Steam Link app
on other devices. The Steam Link app will fallback to whole-desktop, allowing
you to exit Steam Big Picture and what not.

~~~
glastra
You can even start streaming the desktop directly. AFAIK there is a setting
for that.

------
withinrafael
Rehash:

\- Steam has a privileged service, users can start/stop it.

\- Steam's service resets a bunch of registry subkey ACLs under
[HKLM\\...\Valve\Steam] at startup

\- Steam's service gives unprivileged users read/write access to its own keys

\- Steam lets unprivileged users write to this area of the registry

\- Steam's service follows registry symlinks

This is terrible. Any multi-tenant machine with Steam installed is affected
and should be considered compromised.

~~~
shawnz
It's actually even worse than that, OP's exploit only scratches the surface of
what's wrong with Steam's security model on Windows. The whole program
directory is world writable including the Steam service binary which runs with
local system permissions, and it's been this way for YEARS. See:
[https://news.ycombinator.com/item?id=20633929](https://news.ycombinator.com/item?id=20633929)

~~~
withinrafael
Yeah, I just saw that today. I don't know what to say.

------
jeroenhd
Quite a sad ending for a security vulnerability that can probably be fixed by
correcting a few permissions.

Sayinf privilege escalation doesn't count because you need to place a file on
the file system is a nonsense excuse. It's saying "yeah well it's not our
problem that we give a process full system rights because the user already
opened something else in low privilege mode".

~~~
_kbh_
Saying you need to drop a file is a sad excuse. Especially when you don't need
to. I see no reason why you couldn't use the suggested exploit. Changing the
HKLM\SYSTEM\ControlSet001\Services\msiserver ImagePath to the path of cmd.exe
should pop you up a system shell. With no files dropped.

------
imtringued
Nitpick: Changing registry keys is a file operation.

~~~
GordonS
_Technically_ , changing a registry key changes bytes within a large file,
yes.

But in practice, the only way to change registry keys/values is by going
through the registry APIs provided by Windows; I certainly wouldn't consider
registry operations as file system operations.

------
ChrisSD
I've been running Steam on a non-admin account for awhile now. I can't recall
a game that actually needed admin permissions to install and run. Some games
will continue to try on every run but after the no admin error it runs fine
anyway.

I'm on Windows 10. It's possible I've already installed the required Visual
C++ runtimes.

~~~
gsich
There is a steamservice.exe (or similar). It gets admin during install.

~~~
ChrisSD
Right but as far as I'm aware this isn't needed for games to install and run.
If you disable it, Steam complains but runs anyway.

Of course it probably breaks some Steam services but apparently not ones I
use.

~~~
gsich
Only if you install the games outside "Program Files".

~~~
shawnz
Not true. You can install games even with the service disabled, since the
Steam program folder permissions allow any user to write files there (and
that's where games are installed by default).

~~~
ChrisSD
Indeed. As I said, I've been doing this for awhile now so this isn't merely a
theoretical for me.

------
FDSGSG
Pretty shitty of HackerOne to forbid the disclosure of a non-vulnerability.
Hopefully there's more to this story.

~~~
knd775
a "non-vulnerability"

------
MayeulC
This is concerning, especially as the steam client is a platform for
downloading remote code execution-enabled programs.

I can't imagine the number of security vulnerabilities in Steam games. Most
games require invasive anti-cheat services that are connected to a command-
and-control sever with full RCE capabilities (and RAM dumping/analysis, etc).

If you want a specific example, take Unreal Tournament (1999) on steam: this
is an old game, yet its security practices remain unchanged. Most public
servers I tried to connect to pushed dlls on my computer, that were then
loaded by the game executable, to provide a variety of mods, anti-heat
services, and more.

That means anyone hosting a UT99 has RCE and privilege escalation capabilities
on any client that connect trough Steam, without even trying hard. More
concerning is the fact that games are a very specific medium:
robustness/security is often not the primary concern, most are networked, and
few are patched [a few ears] after release, yet remain launched on a regular
basis for decades to come. Moreover, newer games tend to push resource usage
too much for elaborate sandboxes.

That's the reason why I run Steam trough flatpak's sandbox: at least, it, or
games, don't have access to my filesystem. I still have concerns over the
login token, though. Wayland does provide some extra protection against
potential keyloggers/others, but I wish Steam itself was constructed like a
browser, sandbox-wise.

(yes, the remote dll loading happened on Linux, trough wine/proton, a
testament to the engineering of these compatibility layers).

------
m-p-3
Thanks for the disclosure, and if Steam users gets attacked because of their
irresponsibility then it's on Valve. The author did was l what they reasonably
could to get this fixed the easy way before the hard way.

Hopefully they'll learn from it and act more professionally and increase their
payout if they want security researchers to take them seriously in the future.

------
trulyrandom
I've also had some similarly bad experiences reporting vulnerabilities to
managed HackerOne campaigns. I'm guessing the HackerOne staff is primarily
trained to judge web vulnerability reports. Anything beyond that often
triggers odd followup questions or even a rejection like in this case.

------
unstatusthequo
I usually report directly to the company anyway which escalate it with
HackerOne if they aren’t dysfunctional.

------
ryanlol
How come both of the comments discussing the way HackerOne handled this are
[dead]?

Neither account seems to be banned, both comments seem perfectly fine.

~~~
sctb
Sorry about that, those posts were killed by some overzealous anti-spam
software which we've just pacified.

------
foxtrottbravo
Normally I do not care too much about comments marked as [dead]. But why is it
that all comments in this submission that critique HackerOne are being killed?

I'm now somewhat curious is this comment will be hit with wathever hit the
other (at the time of writing) four comments.

~~~
ryanlol
HN gets constant spam from scammers advertising “hacking services”, the
antispam system likely confused HackerOne comments with those.

(perhaps this comment will get autokilled too)

------
zonidjan
> Here I realized that Valve has no interest in EoP vulnerabilities.

... surprise? Of course not. Neither do 99% of their users.

~~~
comfyinnernet
Users of peanut butter shouldn't have to think about whether it contains glass
and razors.

------
microcolonel
Just assume Windows does not have privilege separation, don't rely on it. The
way things are on Windows is convenient, especially with all the legacy
software, but don't rely on it to protect users from eachother.

~~~
ChrisSD
But Windows does have strong separation between processes running in separate
sessions. Steam actively goes out of its way to undermine this by giving all
users permission to directly control a service with system level privileges.

