Hacker News new | past | comments | ask | show | jobs | submit login
Steam Windows Client Local Privilege Escalation 0day (amonitoring.ru)
407 points by codedokode 17 days ago | hide | past | web | favorite | 186 comments



>Moreover, they didn't want me to disclose the vulnerability. At the same time, there was not even a single word from Valve. No, guys, that's not how it works. You didn’t respect my work, and that's the reason why I won’t respect yours — I see no reason why I shouldn't publish this report. Most likely I’ll be banned at H1 because of it, but it won't make me upset.

This seems pretty scammy of HackerOne and does nothing but hurt security. Either something is an issue and should be paid for, or it's not an issue and disclosure is fine. They're trying to have it both ways and trying to strong arm researchers into keeping quiet.


I've mentioned before how disappointed I've been to watch hackerone move from a platform helping responsible disclosure to a platform helping companies hide vulnerabilities.

It used to be that even accepted bugs and paid bounties would be publically disclosed. It helped me learn a ton just from reading the (partially redacted) bug reports. Over time they became more and more redacted until they were left entirely pointless.

To mark a bug as N/A, declare it 'not fix' but then say also it can't be disclosed is precisely why responsible disclosure is a thing. Companies can't have their cake and eat it.


This is why “responsible disclosure” has been rejected as a term among security professionals for many years now. Vendors invented it for self-serving reasons.

https://blogs.technet.microsoft.com/ecostrat/2010/07/22/coor...


What are the alternatives for HackerOne for hosting a bug bounty program? My company is looking to set one up and H1 was way too expensive and tried to push all their extra features.

All we want is a place to host a bug bounty page and allow us to pay rewards through it. The only reason I'd prefer hosting that on a platform rather than just making a bug bounty page on our own site is that I feel bounty hunters would trust it more, since it's not just some random page on a company website they've never heard of before.


I think there's a fair question to ask here: is HackerOne a bug bounty program that offers security consulting services, or a security consulting service that's implemented as crowdsourced bug bounties? If I hire a normal security consultant, and she finds an issue in my product that I don't agree is a real vulnerability, it's absolutely not fine for her to go write a public article about it.


>If I hire a normal security consultant, and she finds an issue in my product that I don't agree is a real vulnerability, it's absolutely not fine for her to go write a public article about it.

The difference is that you pay her either way. HackerOne doesn't. If HackerOne wants the advantages of paid employees then they need to pay for employees and not mask it as a bug bounty program.


> and she finds an issue in my product that I don't agree is a real vulnerability

If it’s not a real vulnerability then why would it matter if she publicised it?

Or, is it actually a real vulnerability but you don’t want to admit it because she (the security consultant) is getting paid per vulnerability found?


Because most people can't and don't critically evaluate vulnerability reports. If "SpicyLemonZest Windows Client Local Privilege Escalation 0day" becomes a trending headline, my customers will demand I do something about it, even if I have a perfect explanation for why it's not a real vulnerability and they're at no risk.


Serious question: why?

Unless the company is lying and it IS a real vulnerability, writing an article about it seems harmless to me.

OFC that if I planned on writing an article I'd be open about it beforehand, but that feels like a courtesy and not an obligation unless an NDA is involved.

Disclaimer: I don't work in security so this is purely curiosity.


It'd be like writing public articles attacking your company's accounting practices. Sometimes things are so bad it's fair to blow the whistle, but it creates nasty incentives if companies can't perform private security investigations without risking a public shaming over the results.


These people are not employees. They don't agree to amounts before starting the work. They don't make promises. Nothing! I don't see how someone publishing something in that situation is a problem.

Like OP wrote in this thread, it either is a vulnerability or it's not. In the latter case, just assume it's the cost of doing business and people will write "bad" things about your product?


An NDA is always involved. And even if not, badmouthing your customers is bad business.


Are they really customers?


If we're talking about normal security consultants and not h1, yes?


HackerOne is a platform on which Valve runs a public program [1] that awards monetary bounties. I'm confused as to why Valve is allowed to forbid disclosure of "out-of-scope" reports and will only "generally" disclose reports in any case:

> Please note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Valve has not taken a specific corrective action / mitigation.

> Valve embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request.

[1] https://hackerone.com/valve


I think a lot of users of your platform would disagree. Publishing attacks like this and getting them noticed helps prevent targeted attacks.


I'm not suprised at the response they got when they reported the vulnerability. Somebody reported an XSS vulnerability in the Dota 2 UI, and they wouldn't fix it. So (probably the reporter) created a worm in the client that spread through your friends list in game and defaced the client. People also found out you could crash the client by using the XSS to download very large images. There was no way to protect yourself either, because messages from friends are automatically displayed with no user interaction.


I like to say "The capabilities of attackers are not bounded by your imagination."

It is possible to get a "security bug" that is technically a security bug, but still isn't really all that important. But you generally want to be very careful in making that assessment, because just because one particular person, even someone fairly skilled in security, doesn't think it can be used to do anything truly harmful doesn't mean that the attackers won't figure something out.

XSS has been a particular rich source of this; it's very easy for someone not too up on security to say "Oh, whoopdedo, it lets you pop up an alert box or change the client side display", when in fact XSS can steal login cookies if you haven't properly secured them (which seems likely to correlate highly with people who don't think XSS is a big problem) and be used to proxy web connections to other resources in the context of the user, conforming to the same-origin policy [1]. So, for instance, with the recent story about a guy finding an XSS in Tesla's service management page, they were correct to respond to that as a serious issue; it wasn't just a way of moderately inconveniencing a service tech, it was a back door into their entire service system, potentially. XSS has a huge mismatch between the general developer's impression of its severity and its actual severity.

[1]: https://github.com/beefproject/beef/wiki/Tunneling


I think the Tesla example you gave serves your point particularly well, because the researcher himself didn’t even know that there was a vulnerability until several weeks after he had placed a probe and someone in Tesla accessed an internal page.


I found XSS in Steam, reported via ticket and email, eventually posted on their forums and found my steam account disabled. It took them 3 weeks and repeated attempts to contact them for them to silently reenable my account.

The XSS was in the screenshot viewer. Names of Source Mods were not escaped. Their fix was to never show Source Mod names on Steam Community at all.


I wonder if that's something to do with their famous lack of hierarchy. A bit hard to tell someone to fix it if you are all equals.


I remember at some point while playing, the main page of the dota 2 client was full of porn. I thought my DNS cache was poisoned at the time, and now, some years later I find out it was an exploit.


I seem to remember that it spread through 4chan on the /vg/ board, someone there found that you could make text look differnt and then it began rolling until someone made a worm. I am not sure it was reported to valve beforehand.


Yeah, it's been fixed a couple of times, but future updates would occasionally cause a regression. There was someone who had been paid for multiple vulnerabilities though HackerOne, but was upset that they didn't get paid for this one, so they showed people how to do it.


I also had a look at Valve's HackerOne policies recently and was unimpressed for a variety of reasons:

- The "Exclusions" are very poorly defined:

Valve will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion.

- What's "In Scope" is extremely vague. Yes, it's a list of domains, however Steam uses way more domains than that. Even then, not everything is tied to a "domain" as such, for instance Steam provides P2P networking. Executables are indeed mentioned, but again, it's vague.

- Payouts seem low.

The HackerOne profile is something I would expect of (and would be acceptable for) a 10 person company, not a massive corporation with millions of users.


> I would expect of (and would be acceptable for) a 10 person company, not a massive corporation with millions of users.

As it happens, there are only about 10 people [1] working on Steam. [2][3] This is the result of both Valve having only some hundreds of employees total and them being to be able to choose what they want to work on. Not many choose Steam.

--

[1] This is not counting customer support staff that is outsourced.

[2] Steam employees self-report the team size as 10 in this interview https://www.youtube.com/watch?v=atwE-K8y-ws&t=8m35s

[3] Someone who recently visited Valve observed this to still be true. "There are approximately ten people inside" + "This is the Steam cabal," https://www.joindota.com/en/news/84521-my-visit-at-valves-hq...


Interesting.

However, in this case, '10 person company' is more meant to imply the resources (bug bounty budget) available to the company. It's appropriate to categorize it as a 'a massive corporation with millions of users' for this purpose.


There's the rub though, right. It's 'a tiny company with millions of users'. QED.


Steam was essentially a small company in 2004, in fact they grew too fast for their own good. Let us remember until the steam patch nobody wanted in 2004, valve had only released half-life and a few other odds and ends, until half-life 2 in 2004. Where steam began the long process of stealing game files from PC gamers and calling it drm.

The whole process which began back in the late 90's with Ultima online in a bid to get people to pay monthly for the same computer role playing games by rebadging PC RPG's mmo's.

So everyone with a clue about gaming history should know valve only seems "big" because the internet enabled gave them first mover advantage when they wrapped the steam store around half-life 2 in the mid 2000's, over the next 5-6 years that would make valve a tonne of money as AAA games released on steam until uplay and origin showed up later.

Let us remember the reason we have storefronts for every company is because the internet enabled companies to steal PC games out from gamers via server locking games to their companies PC's. Now we're even seeing basic game functions held back and sold for microtransaction money.


While I somewhat understand and relate to your overall point, Ultima Online and other MMOs that followed were not simply a “rebadging” of previous RPGs - they were a fundamentally new genre that created some of the most important and impressive leaps forward in multiplayer gaming. Even though some companies are using gamer hostile practices such as micro transactions now, the implication that all online gaming was one big conspiracy to “steal PC games out from gamers” is utter nonsense.


No it isn't, there is no reason for any piece of software to be split between your computer and another company.

If you buy the argument, you obviously never gamed during the 90's during the heyday of level editors, free maps and mods over IPX emulators like Kali and kahn.

It's not utter nonsense, DRM is literally taking files of the game hostage. Go load up overwatch and disable the network card, Go load up quake 3 or Unreal tournament 2004.

You can still play Quake 3 and UT2004, you'll notice a big fat error in overwatch because it is logging you into a server required for it to function.

Go get never winter nights released in 2002, compared against the "f2p" (aka stolen rpg rebadged an f2p mmo during develpment).

https://store.steampowered.com/app/704450/Neverwinter_Nights...

The original neverwinters had game tools and you could run your own server, vs neverwinter the "f2p mmo" version (aka moniker for the game moving to server locked game).

https://store.steampowered.com/app/109600/Neverwinter/

Any gamer in the 90's was expecting more dedicated servers, level editing tools with PC games.

Leauge of legends and DOTA 2 would have been fully single player RTS games with multiplayer.

So no you and anyone who believes like you is willfully ignorant that we now live in a PC game dystopia. Whereas before League of legends and DOTA 2 would have been coded like Quake 3, Unreal tournament 2004, and warcraft 3, you own the game and can play it multiplayer if necessary without a third party.

Diablo 2 we owned it --> Diablo 3 blizzard owns it and can now shut it down

Quake 3 we owned it --> Quake champions bethesda owns it and can shut it down.

So no, we've gone backwards in time to mainframe and dumb client model of computing because of the average gamer being computer illiterate and not seeing the writing on the wall.

So no they were not fundamentally a new "genre" that was what marketing and PR flackeys hoped people like you would buy. Note that private servers prove you incorrect, aka that there exist private servers for Ultima online and World of warcraft, demonstrate tehy would have just been Role playing games with shards players controlled, there was no need for companies to conrol them or the monthly fee.

Overwatch is a case in point that you are incorrect, since it's just a multiplayer fps, why is there no level editors, tools, open file specs and GTKRadiant? OH yeah thats right they wanted to lock down the code from a server in their office to resell skins that are sitting on encrypted files already on your machine setting a programming flag to display, when you've "earned" them via the stupid leveling system or gambled for them using their lootbox system.


I do agree there are troubling trends related to changing dynamics of ownership of digital media and how much of of regular consumer's consumption is of DRM'd digital media. However, I greatly disagree about relating RPGs like Neverwinter Nights to Ultima Online and other MMOs. When paying for an MMO, you're also paying for server hosting of extremely large realms with thousands of concurrent players at a time. This is fundamentally different from having fractured, isolated, differentiated small servers. The experience of these massive servers is a fundamental part of the experience these developers wanted to achieve, and are thus integral parts of the game.


MMO's were the propaganda to sell you the same RPG's without having to give you ownership, if you can't see that when Guild wars had 8 player multiplayer but jury rigged a login/drm system on their PC RPG, you're clueless.

That is why PC RPG's were rebadged mmo's, so that they could use it as a battering ram to change game culture. It's all about profits for these game companies, they wanted control of the software to put microtransactions in them. Notice after Valve, EA and activision got control of the software, they immediately shoved microtransactions into games.

You don't have to deal with lootboxes or MTX if you own the game outright. MMO's were part of the long term war on software ownership on the PC. To not see that and think they are special because you have very powerful feelings for these games, means you're ignoring the overwhelming evidence that the game industry was successful in changing public opinion regarding game ownership. AKA got you to see software as a service as "OK" and that's all they needed to get their foot in the door to take control of the software, once they got a generation of kids that's ok buying software they don't control - the skies the limit at abusive microtransactions, lootboxes and in game stores.

That also means level editing, free maps and mods need to be scaled back because it interferes with profits.


There is a fundamental difference in scale between MMO and RPG.

MMO's argument for online portions of their service were based around that scale. There are plenty of online only games, loot boxes, microtransactions that can happen outside of MMO/RPG style games, some existed before MMO's even took off.

To ignore the fact that MMO's absolutely do need more hardware and need to be split between client and server shows a clear lack of understanding or knowledge about client-server models, large multiplayer games and development.


But the server code has been part of games for ages.

You could argue even a game like Minecraft (which is not totally DRM free) includes the server code, so players (and companies) can setup servers as they please.

The only reason I can see for a game to not include the server-side code is to hold the users hostage.

5-10 years from now, nobody will be able to play these games because the servers will be discontinued. We effectively "rent" them because of this.


Uhh, lets remove the progaganda shall we

MMO = marketing term for computer program instructions

Is there any reason as a gamer for any program to be split between two computers when companies goals are to maximize profit, not produce the best games?

So no I understand perfectly well. The fact that private servers exist for world of warcraft and ultima online demonstrates your comment as a farce.


>MMO's were the propaganda to sell you the same RPG's without having to give you ownership, if you can't see that when Guild wars had 8 player multiplayer but jury rigged a login/drm system on their PC RPG, you're clueless.

I downed your post because resorting to personal insults is against HN's guidelines.

To your point, there exists MMOs that are validly massively multiplayer, online games. There are also many games that didn't need to be architected as an MMO and, from a cynical viewpoint, that could be seen as a land-grab taking control away from the consumer.

You have glossed over a lot of other facts in your pursuit of black-and-white here. For example, Quake 3 and UT2004 had CD Keys. Likewise in regards to Steam, it's not that there are zero benefits to that delivery mechanism over how things were beforehand. Automated install and patching is a far cry from the messing each person had to do previously.

It's certainly debatable whether these things are a net positive or negative, and IMO it's becoming increasingly a negative as time moves on.


> *No it isn't, there is no reason for any piece of software to be split between your computer and another company. ... You can still play Quake 3 and UT2004, you'll notice a big fat error in overwatch because it is logging you into a server required for it to function."

There is a reason and it's a darned good one: piracy. It was well discussed on professional game development sites in the '90s and '00s; building a online game or game with a large online component meant that it was immune to being pirated.


Also hardware/horsepower. MMO's work at a scale different than 2, 4 or even 8 player games do. Often its not possible, practical or more prone to issues to try and have a client only model for some games.

Eve Online is a good example of this.


> There is a reason and it's a darned good one: piracy.

This is not a good reason at all, especially from the consumer's perspective.


Game development is a risky and often thankless undertaking as it is, that the developers sought profit in the face of widespread IP theft is neither immoral nor unsurprising.


> often thankless undertaking

Why would i "thank" someone that puts unnecessary restrictions on how i can use the program i paid them money for?

> neither immoral

I see it as very immoral to deny me access and control to the software i paid for, especially when that happens because the developer treating me in a guilty-by-default way for something they have no idea if i'll do or not.


>Why would i "thank" someone that puts unnecessary restrictions on how i can use the program i paid them money for?

You could thank them for writing the program for you in the first place, if they didn't then you'd have to do it yourself.


You paid for access to a client and limited term access to the services it requires. If that's not acceptable to you then _do not purchase it_.

It's a game. No one is forcing you to play it.


> If that's not acceptable to you then _do not purchase it_.

> No one is forcing you to play it.

That has nothing to do with whether the product is moral.


It is when they are stealing the game files and code using public internet infrastructure, aka selling you incomplete software.


It is not theft to not consent to sell a particular sort of product, and instead to sell another. Software as a service is not theft.


> stealing the game files

The correct term is "fraud". Just because copyright trolls misuse words that way doesn't mean we should sink to their level.


Out of curiosity: how does piracy for a single play or local multiplayer game from the '90s and '00s compare to today? Things like legitimate sources for digital distribution and regular sales could have an impact on piracy without requiring Internet connectivity for DRM.


The long term trend in PC gaming was to slowly move parts of game programs onto servers in corporate offices so they could control them and extract monopoly profits. The goal for any capitalist organization is monopoly profits. You can do that in many ways.

League of legends and DOTA 2 were just real time strategy games that have been coded to use the mainframe model, instead of the locally run application model like quake 3 and Unreal tournament.

That was the whole plan for all new PC games. Think about this - league of legends makes pure profit selling flags to display skins that are already on kids machines because we know how computers work. That was the end game for the game indsutry to resell the same game assets like skins and characters over and over at insane margins.

That's exactly what we got with lootboxes and mobile - aka a platform that is completley locked down and there is no software ownership. Go to google and select images, and put in "mobile game revenue 2019" or any other year just prior to this one. Then compare it to PC or console game revenue. The software industry is obsessed with locking down the PC because they see the mad profits from mobile. That's why we got drm in windows 10...

It's all been slowly building from early succeses of walled gardens like mmo's and steam in 2004, to fully server locked multiplayer games that companies control like league and dota 2. To mobile gacha games that sell gambling for pokemon like characters to kids for sick profits without the kids getting any ownership of the software they are paying for.


[flagged]


It's not theft to provide software as a service. Nor is it a con of any sort.


It is because that means you control my PC from your server in your office and force me to use software in a particular way, that's what I call fraud buddy. You can shut off a piece of software or deny me access to the files I paid good money for. It's all because of corrupt IP law regarding software that was bribed away by silicon valley tech money, they made sure the public had no ownership rights regarding software.

So we might ask - dude where are the publics property rights regarding game software? But that might be too sticky an argument, the world is run by a lawless corporate oligarchy that rubber stamps the laws it wants passed. Given infinite IP law extension.

https://en.wikipedia.org/wiki/Copyright_Term_Extension_Act#/...


> It is because that means you control my PC from your server in your office and force me to use software in a particular way, that's what I call fraud buddy.

Nobody forced you to click the "play game" button. If microtransactions or whatever make a game not fun for you, then you are free not to purchase, or play, that game.


You are not forced to use the software.

Customers pay for access to a client and limited term access to the service it requires.

It is not fraud because there is no deception.


It is fraud because I have no power to modify your bad behavior, when you code a game fraudulently. You can sit in the middle of the continent and get the lay public to buy software infected with privacy and consumer rights violating program code. That is how DRM and non ownership occured, not because PC gamers wanted it, but because you could force it using internet infrastructure because your customers are 100's of miles away. You no longer have to press CD's/DVD's and give them the complete software. You can just hold parts of the game files back on a computer in your office. AKA selling incomplete software or fraud.


Since when are you the legal arbiter of what's "incomplete?"

This would be fraud if the deal turned out to be misrepresented: they promised to give you you "all of the software" and you got something "incomplete."

I'm willing to bet the Terms of Service for whichever piece of theoretical SaaS you're voluntarily opting to purchase a license for clearly outlines your rights and relationship with the vendor.

It's not "fraud" just because you think it ought to be.


It is because the internet collectivizes the ignorant public and you can use them as the army of the ignorant to defraud me of my basic rights to general computing.

The game industry and microsoft are well ware of the publics lack of understanding of how computers and computer networking work. Two pre-requisites you would need to have a functioning market. The information asymmetry between game buyer and game maker is off the charts.

I who do not want DRM and spyware in windows 10 are now forced along because ignorant parents buying computers don't understand or don't care about such an issue. Meaning I lose control of my rights to own my own files and not be spied on because the worlds global public is computer stupid.


I heavily sympathize with your point of view. I take issue with your use of the word “fraud”, but I also understand what you mean by it based on how you use it.

From my experience on HN over the however many years I’ve been here, the way HN commenters use the word “fraud” is predominately centred around the legal definition of fraud (as in “what legally constitutes fraud”) [0]. The way you use the word “fraud” reminds me of how my dad used the word once, and it is closer in my mind to the word “cheated”, even that might be a little strong.

I understand the frustration of DRM and having software be split between into client and server when it is arguably unnecessary. I’ve never thought about it has “holding parts of the games files back” given that the company never agreed to give the files in the first place. At the same time, on a longer time-scale, the behaviour is indeed different from before (the Diablo 2 to Diablo 3 example). The one contrived example that I can think of is selling fruit like apples: before you were sold the entire tree, and now you are sold just apple slices, so you don’t even get the seeds, but they were and are being sold under the same packaging of “apples”.

I took the time to respond to you because you made good points, the other commenters genuinely seemed to sympathize with you arguments, and you seem to be new here. The wording of your comments taken literally can appear factually inaccurate or exaggerated. However, I remember the same transition period in gaming and I recognize the timeline and the events in your narrative despite not sharing the harshness in your perspective.

The personal attacks you made were definitely uncalled for and unnecessary: in your position, I would just say, “What am I missing?” to indicate that there is something about another commenter’s point of view that you are confused about. You will get farther here if you assume positive intent and focus points of confusion at yourself instead of others e.g. instead of saying “you must be delusional to assume X”, say “it doesn’t make sense to me: why assume X?”. Both statements indicate the existence of confusion, but the second one allows for dialog without judging the other commenter.

Enjoy HN!

[0] https://en.m.wikipedia.org/wiki/Fraud


The problem is that splitting the app in this way is so very lucrative.

Disallowing players from enjoying a game without paying doesn't work for everyone, but the network effects of multiplayer games virtually assures an increase in sales once your game passes a threshold of popularity.

The tradeoff, however, is that this won't work for small and niche games. For players to convert to purchasers the value must appear sufficient, and a multiplayer game with no players has little value.


I think there's a lot of reasons that games aren't modded much anymore that aren't really about locking down content. Like, most of the content in those games is so high-end and produced by huge teams, so trying to do anything new with it is nearly impossible for an amateur. And the people that can do it have much more motivation to use something like Unity or Unreal Engine


I have to say I think all those problems would have been worse without Valve and Steam, and will become so as Steam becomes "just another" DRM agent. The dream of perpetual rental will never die.


It greatly depends. Look at what happened with Apple and iTunes. Apple created iTunes, and set up rules for music publishers that wanted to participate. They were required to sell individual tracks. They were forbidden from charging more than 99 cents per track. They were required to permit the user to burn songs to audio CDs. Etc. This ended up putting music publishers in a difficult position. Their retail distribution agreements with record stores explicitly forbade them from doing any of these things. So they either had to re-negotiate those contracts, cancel them, or abandon iTunes. They attempted to re-negotiate their agreements with record stores, but record stores adamantly refused to budge. They wanted to maintain their prior agreements that forbid the publishers from selling their music through other venues for lower prices, before the retailers could stock their shelves, etc. The record companies never budged, and went out of business thanks to their stubbornness.

Contrast that with how Valve handled Steam. Valve set no restriction on game publishers. Publishers were never forced into taking advantage of digital distribution at all. They were able to preserve all of their retail distribution contracts by screwing the customer. Digital distribution is profoundly cheaper, enables release of games a week sooner, could rely on Steams DRM without needing third party extra DRM, etc. These are all things Valve could have required publishers to take advantage of to benefit customers. But they didn't. They gave publishers carte blanche and let them do absolutely anything they wanted. If another company had been the one to become the dominant platform, it could have been more like the iTunes situation.

This is also the thing which guarantees Steams eventual downfall. Music publishers considered, and a couple even tried, building their own digital distribution service. But, the publishers were incapable (because of institutional restrictions) of building a competent competitor that would be appealing to consumers. The publishers board wouldn't permit things like individual track sales, 99 cent price caps even for popular singles, etc. Steam is a different story. Since there are literally no restrictions on publishers at all, there is also no reason for publishers to refrain from building their own separate platforms and cutting out Valve's cut of the sale. Gamers have established that they are more than willing to install and use however many launchers as necessary, so there is almost no reason for big publishers to use Steam rather than just building their own.


Gamers may be reluctantly willing to install multiple launchers, but Ubisoft and EA's launchers are universally hated. I personally have skipped many Ubisoft games that I would really liked to have played because I just don't want to sign up for their invasive spam machine.


Gamers naively assume that hating something means anything. It doesn't. Publishers look at the numbers, and couldn't care less about what gamers feel. Gamers line up to shovel money in the publishers direction, and indie publishers that don't engage in abusive practices get left out in the cold by gamers. In the boardroom, there flat out is no evidence to suggest that resisting engaging in abusive practices would be anything but destructive to the business.


I've used both Ubisoft's and EA's launchers and I don't see how they're any worse than Valve's? The worst I can say is that they don't have as many features but that's not necessarily a bad thing.


They're both far more pushy with their ads and marketing for one, but the problem I have with them in general is why do I need to sign up with a publisher and install a new app to play a game? Imagine if instead of Spotify you had to make an account and download an app for every record label. Also, they are really just terrible companies.


I wouldn't be surprised if this is for backwards compatibility with older games (the linked twitter "exploit" is certainly due to many games writing files in their own folders) and avoiding the need to show the UAC prompt when installing dependencies (VC++ runtimes, etc) in many newer games - especially if you take into consideration Steam's Big Picture mode and that it needs to be usable with a controller (though perhaps the Steam Controller can also function as a regular desktop mouse, assuming it doesn't rely on Steam itself to move the cursor around - which may not work when the UAC prompt is shown - and on the other hand some older games do need to run as Administrator and/or a compatibility mode that shows a UAC prompt, so perhaps SC can work with that).

BTW...

> Are you sure that a free game made of garbage by an unknown developer will behave honestly? Do you believe that for a 90% discount you will not get a hidden miner?

...beyond this being FUD, games do not need to run with Adminstrator privileges to put hidden miners and even if they did, all they'll need to do is simply... show the UAC prompt. So many things show it that people will accept it anyway, especially when they're trying to start a game. But more importantly, such a game will be removed instantly from Steam and thus wont spread much while the developer could be sued (before publishing anything on Steam you have to give them your full details) making the entire endeavor not worth the effort.

Though of course this issue can be taken advantage of outside of Steam.


> especially if you take into consideration Steam's Big Picture mode and that it needs to be usable with a controller (though perhaps the Steam Controller can also function as a regular desktop mouse, assuming it doesn't rely on Steam itself to move the cursor around - which may not work when the UAC prompt is shown - and on the other hand some older games do need to run as Administrator and/or a compatibility mode that shows a UAC prompt, so perhaps SC can work with that).

The Steam Controller has a "lizard mode" for when it can't connect to Steam where it just acts as a dumb mouse. I have no idea whether it enables that for UAC prompts, but it probably could.


I just checked, and yes, you can use Steam Controller to get through UAC prompts. The joystick mimics the arrow keys, the right trackpad moves the mouse cursor, the trigger buttons represent mouse clicks, and A is Enter.


How does Steam capture the secure desktop that displays the UAC prompt?


It doesn't. The controller simply acts as a mouse/minimal keyboard outside Steam.


It actually gets even more confusing. Desktop mode (what you get when Steam is in desktop mode or you're tabbed out of big picture/TV mode) is completely separate from lizard mode (what you get when Steam isn't running or can't grab the desktop due to UAC/Secure Desktop).

That matters because desktop mode still has customizable keybindings as usual, while lizard mode is completely hard-coded. Lizard mode also (obviously) doesn't support the soft keyboard, which would otherwise have been pretty useful from the lock/login screen.


So if you're using Steam streaming and the session switches to the secure desktop due to a UAC prompt, what happens... does the screen just go blank (a la VNC), leaving the remote user locked out?


Just tried. If you're already streaming, it manages to show you the prompt, but there's no way to interact with it. The mouse moves (both on the host and client), but clicks don't go through. Keyboard navigation doesn't work either.

If you try to stream something that first pops up UAC, the client just sits there waiting for it to be dealt with on the host.


Steam streaming always manages to feel half baked to me for reasons like this. Another is that it needs to unlock your screen before it can be used. So you either leave your computer unlocked, or you need to VNC into it to unlock the screen so Steam streaming works.

Every time I do that I think there must be a better way.


Yeah, i often control my machine via RDP and then streaming a game from there is a pain. Here is some script I've found to unlock the local pc, disconnecting RDP in the process:

> @powershell -NoProfile -ExecutionPolicy unrestricted -Command "$sessionid=((quser $env:USERNAME | select -Skip 1) -split '\s+')[2]; tscon $sessionid /dest:console" 2> UnlockErrors.logpp

I've not used it often and mostly given up on Steams streaming stuff. Playing simple stuff though RDP directly usually works well enough for the few times I still did that. Notably pretty much all games launch flawlessly. The drawback is it not being optimized for games, offering a notably worse performance on that front.


Come on folks, don't downvote a question you don't understand


The problem is that the privileged service modifies permissions of arbitrary registry keys that don't belong to the steam client. Simply checking that the path is below the steam path before calling RegSetKeySecurity would fix the problem.


Yup. It is probably a single line of code. Make it two, if they are using C# :)


Complaining about privilege escalation is not FUD.


> all they'll need to do is simply... show the UAC prompt.

Yeah, this is a good point. Not sure how many folks here play a lot of Steam games, but a ton of them install their own specific VC++ runtime redists (sometimes multiple) at first run, and each of them throw their own UAC prompt.

It's absolutely an established pattern for me to mindlessly click through 1-5 UAC prompts on first run of Steam games. (Though they're typically all Microsoft Corp signed in the prompt, which is helpful.)


>I wouldn't be surprised if this is for backwards compatibility with older games (the linked twitter "exploit" is certainly due to many games writing files in their own folders)

Maybe they should use "c:\users\all users\appdata" for this purpose instead of using "c:\program files"?


Nowadays you can install Steam on a separate drive. I have a 500GB PCIe SSD but install my more intensive games on a regular SSD and then the rest on a 1TB spin disk. So in a way you wont always install it in Program Files if you pick a new location to install.


Yeah, i never install it on Program Files myself, i always use a root level folder like C:\Steam (and a reason is UAC too, while Steam does more or less seem to bypass it, some patches and mods for older games do not always work that well if Steam is in Program FIles).


> some patches and mods for older games do not always work that well if Steam is in Program FIles).

How old? Like DOS old? Because most programs from this century should assume they were installed somewhere inside of Program Files.


If you get into running old games in modern Windows, i think you'll find that when it comes to games such assumptions are the first to fly out of the window :-P. Games tend to be among the most brittle desktop software.


There is more blatant violation:

1. Log on as non-admin on a box with steam 2. Do not start steam or any game 3. cat %system32%\calc.exe > %programfiles%\steam\bin\steamservice.exe 4. Reboot 5. Log on, start steam 6. BAM! Now you have calc.exe (attempted to) run as System with highest local priveleges


Have you reported this to the vendor or whatever channels are required to get a CVE?



So this is less of a 0day and more of a 1300day :)


> 3. cat %system32%\calc.exe > %programfiles%\steam\bin\steamservice.exe

This requires elevation.


On my machine, the Steam folder is writable by the Users group.

I didn't modify anything so I assume Steam set it that way.


Of course, how else is a user running Steam supposed to update it?

Headdesk


Through Steam service running as NT AUTHORITY\SYSTEM? Like "Mozilla Maintenance Service" for Firefox.


That would require Valve's developers have a clue about basic security...


It's ironic, because Gabe Newell himself started at Microsoft. Now he's created a company in which apparently none of his employees understand the security model of Microsoft products.


If true, then I stand corrected.

However, I'll point out that one hardly needs administrator access to, say, encrypt your documents and install a crypto miner. The whole idea that gaining administrator privileges through local escalation on a personal desktop is A Big Deal(TM) is silly.


As the degree of privilege you get on a system goes up, your ability to persist attacks increases. In the limit you end up with cases where the malware is running as a hypervisor, rendering Windows actually entirely incapable of seeing it or dealing with it. I seem to recall some countermeasures have been added but I don't recall all the details or know what the current status of that is, but I'm fairly sure that has has happened in the wild, not just a theoretical attack.

So even if someone gets exec on your user files, you'd still prefer them to be limited to your user and not running at higher priv levels. Even if 90% of the damage is done with access to your personal files, it still adds more damage with higher privs.

Plus this means user-level countermeasures like "run steam as a separate user" are useful; with escalation, that's not an effective defense. Also, if you've got multiple users on the computer, an attack that can't escalate privileges might ruin your day, but an attack that can escalate privileges might ruin your day and your spouse's day and anyone else in your family's day, so even in terms of "personal files" on a modern Windows system you can still be looking at more damage from an escalating attack.


Of the people trying to say this is a big deal in any way, I must say that so far you are the only one to make any reasonable points.

> So even if someone gets exec on your user files, you'd still prefer them to be limited to your user and not running at higher priv levels. Even if 90% of the damage is done with access to your personal files, it still adds more damage with higher privs.

This is debatable, since whatever other damage they could do is something I'm not likely to care very much about compared to all my work, the whole reason I have a computer in the first place, being held for ransom or otherwise lost to me.

> Plus this means user-level countermeasures like "run steam as a separate user" are useful; with escalation, that's not an effective defense.

I suppose this is true, however I don't think any competent authority will tell you that simply running a program you don't trust as another user should ever be relied upon as a sandboxing mechanism anyway.

> Also, if you've got multiple users on the computer, an attack that can't escalate privileges might ruin your day, but an attack that can escalate privileges might ruin your day and your spouse's day and anyone else in your family's day, so even in terms of "personal files" on a modern Windows system you can still be looking at more damage from an escalating attack.

That's a fair point.


> I don't think any competent authority will tell you that simply running a program you don't trust as another user should ever be relied upon as a sandboxing mechanism anyway.

You're right that merely using "runas" does not provide any additional security (at least none that can't be circumvented). However if you run an application in a separate desktop session under a separate user account that does not have admin access at all (e.g. the account type is "standard user") then it should be sandboxed from other users (in technical terms, it's a security boundary).

The most practical way to do this on a consumer desktop would be to have a separate "Steam user" account that you log in to for the sole purpose of running Steam. While most people wouldn't want to do this (as it's inconvenient), it should at least be an option for those that do want it. To put it another way, there's no good reason to undermine the enhanced security provided by separate user sessions.


>The whole idea that gaining administrator privileges through local escalation on a personal desktop is A Big Deal(TM) is silly.

I’ve seen steam on work computers. This isn’t limited to home desktop users by any stretch. People install steam because they don’t know it puts their work computers at risk.

You could argue that they shouldn’t have games on a work PC (some companies are a bit more lax and even play together) and an easy way to convince them to not do that is if you point out that Steam makes your system less secure by design.


>shouldn’t have games on a work PC

Steam also sells design tools and complete sdks. Idk if it is a common way to install them though.


And for a game dev company, you really might have Steam installed for legit business purposes

Security is still important for those companies

Edit: downvoters, I would really like to know why this post deserved downvotes


This attack would require that you are A) Installing something you don't actually need for work, or B) Whatever you need for work is infected anyway.


No it doesn't. The attack does not require you to install a compromised game like 0xDEFC0DE was suggesting in the other thread. Obviously if you install a compromised game then no other attack is necessary.


FTR the problem is steam and the game doesn’t matter. I wasn’t suggesting individual games needed to be installed and steam alone is enough for this compromise


You're right, I've conflated the issues.


> People install steam because they don’t know it puts their work computers at risk.

Tell me, what precisely does having administrator privileges on a workstation provide that having the user account's privileges does not? With the user account you still have access to the user's files (and they are almost certainly the only user of that workstation) and all network resources they have access to.


> and they are almost certainly the only user of that workstation

If the machine is on a Windows domain, usually anybody on that domain can log on to it. Which means I can walk up to your machine while you grab a coffee and use this attack to gain full control over everything on your machine. If you do anything personal on that machine, eg email, I just got access to it.


You could do that without steam just by clicking through the UAC prompt.


Only if your account is a member of the local administrators group. This attack allows any domain user to elevate privileges on a machine with Steam installed.


Only if you can convince them to run your malicious binary. That's a much different attack, with this attack no user interaction is required.


They're already choosing to install a game on Steam, on their work computer. That's the scenario we're talking about.


No, that's what the user 0xDEFC0DE was talking about, not the parent.

The parent is describing an attack which does not require the administrative user to do anything except install Steam. Any other user who can logon to that machine could use this privilege escalation exploit to access the administrative user's files


As another user pointed out, I've made the assumption that the malicious user who logs into the target user's workstation would also have administrative permissions, in which case they don't need steam to accomplish this attack.

However, this is not necessarily the case, so I yield the point.


I would go as far as saying it's almost guaranteed not to be the case. In what situation would two different users, neither of which being IT staff, both have administrative access to a work pc?

As a particular problematic scenario, consider a school: Steam cannot be used in educational settings because of this issue.


Alright, you've convinced me there is legitimate concern here after all.


Thanks for hearing me out, I appreciate it.


You can't click through a UAC prompt to elevate if you don't have local administrator rights.


Install persistence, stealth like clearing logs, gather more information from AD, run code that wouldn’t otherwise be possible.

But no let’s just forget all of the reasons we use group policy and principles of least privileges.

Imagine if your initial foothold is user with Steam installed. You just got SYSTEM for free.


> gather more information from AD

What good is the computer account for this when you already have the user account?

> But no let’s just forget all of the reasons we use group policy and principles of least privileges.

By that rationale, computer accounts should have far fewer privileges than the actual user account anyway, so again having local admin isn't worth much.

> run code that wouldn’t otherwise be possible

Namely?

> Imagine if your initial foothold is user with Steam installed. You just got SYSTEM for free.

And I'm struggling to see how that adds much to my problem of someone having a foothold on a user workstation already.

And that's ignoring the circumstances of Steam being installed on the workstation in the first place AND the user having installed some untrustworthy game with it in the window since the game's appearance on Steam and its detection and removal.

Which is also not to mention that this means the user has the ability to install software and is therefore infinitely more likely to just download some malicious installer from the nefarious portions of the internet that they can access with a web browser.


>Namely?

Powershell, friend. Changing execution policy requires privileges. Guess what SYSTEM gives you? Plus you can disable windows defender and install any nasty things you want! Pretty sure you’d need system to snoop/inject traffic too.

If you have other services or applications installed (like IT setting up your workstation), those things can now be read/changed where they otherwise wouldn’t be with just user access. This can lead to other information leakage about other parts of the network or services.

>And I'm struggling to see how that adds much to my problem of someone having a foothold on a user workstation already.

No fucking shit, but you don’t let them walk into system just because they got user.

You’re taking the stance that any compromise means death and that’s directly opposite of defense in depth, so you clearly don’t believe in that. That’s just being lazy mate. Why not just chmod 777 everything and call it a day?

>Which is also not to mention that this means the user has the ability to install software and is therefore infinitely more likely to just download some malicious installer from the nefarious portions of the internet that they can access with a web browser.

Because they don’t know Steam is insecure by design! They trust Steam! That’s the problem! This isn’t common knowledge and since Steam won’t fix it, it needs to become common knowledge.


> Powershell, friend. Changing execution policy requires privileges. Guess what SYSTEM gives you?

PowerShell execution policy is stupid easy to bypass. You simply pass the '–ExecutionPolicy Bypass' parameter when launching the script. Of course, since you already have complete control of the user account, being able to run PowerShell isn't nearly as big a deal as the fact that you can run anything at all.

> Plus you can disable windows defender and install any nasty things you want!

Windows defender, like pretty much all AV software, is crap anyways and won't detect most of the things you'd be interested in doing. It's a low-effort screen for well known malware. Case in point: it didn't catch your malicious installer when Steam downloaded and ran it in this scenario did it?

> Pretty sure you’d need system to snoop/inject traffic too.

That may well be true, but considering I pretty much already have full control of the user account and can therefore do everything it can do on the network without injecting anything, I'm not sure what is gained.

> No fucking shit, but you don’t let them walk into system just because they got user.

Eh, it isn't really worth my effort to try and prevent it when all they'll have to do is fire a UAC prompt the user will almost certainly just click through anyway. Especially considering what little (basically nothing) it gets the attacker.

> Because they don’t know Steam is insecure by design! They trust Steam! That’s the problem! This isn’t common knowledge and since Steam won’t fix it, it needs to become common knowledge.

So here's the scenario you're talking about: A user has installed Steam on their work computer. They use Steam to download an installer that is actually malicious and this fact has not been caught by Valve yet. Steam, who's entire purpose is to install games, runs the installer. Consequently, the user account is now owned by an attacker.

...And even if this vulnerability were patched ALL OF THE ABOVE WOULD STILL BE TRUE!


>PowerShell execution policy is stupid easy to bypass. You simply pass the '–ExecutionPolicy Bypass' parameter when launching the script.

GPO prevents this but if you have local system you can override that locally and then change execution policy.

I’m sorry, I don’t say this often but you don’t know what you’re doing so I’m not going to take the time for the rest of your post. I’d encourage you to research this more if you like it.


Since the account is compromised and can run any executable it damn well pleases, I'm not even sure how preventing powershell from running a script is at this point is supposed to help.

You strike me as a very typical infosec person, always endeavoring to make mountains out of molehills and add unnecessary friction to everyone else's job in order to add minor benefits in highly improbable scenarios.


Again, defense in depth. Don’t discard additional layers of security because one layer fell. The idea is to exhaust attackers and make it cost ineffective. PowerShell empire and mimikatz are two popular things that require it. I am not in infosec though

All things considered, thanks for discussing this with me despite my harsh language and tone. It’s a bad habit of mine


Microsoft considers this kind of escalation a security issue and will issue patches if this is found in Windows components. If Steam is installed on a corporate network PC (game development, QA services, esports teams, etc?), regular users being able to elevate to machine admin is a big deal.


> Microsoft considers this kind of escalation a security issue and will issue patches if this is found in Windows components.

Makes sense, because Windows is also used for servers. The Steam client is not.

> If Steam is installed on a corporate network PC (game development, QA services, esports teams, etc?), regular users being able to elevate to machine admin is a big deal.

No it isn't. This is effectively the same as being installed on some home PC. Being local admin on the workstation doesn't really give you any more ability to do damage than just a regular user account. A non-administrative process still has access to all the user's stuff, and all the network resources that user account has access to. Local admin doesn't really give you anything new.


> Being local admin on the workstation doesn't really give you any more ability to do damage than just a regular user account

That's dangerously untrue. On all the Windows systems at home, everybody else is a non-privileged user and I set sane file permissions so they can get to shared movies, etc, but not read my bank details and tax records. Privilege escalation means that they could trivially change those permissions. The same is true of a corporate environment -- just because you can't also make changes to AD doesn't mean the threat of accessing local files under other users' accounts is trivial.

ETA: I just read a bunch of this user's other posts in this thread and I'm beginning to suspect they're trolling, so I'll disengage.


> On all the Windows systems at home, everybody else

Ok, in that scenario it is true, but multi-user desktops in the age of smartphones and tablets are a vanishingly small niche. My experience in corporate environments suggests they are also almost entirely 1:1 as well.


local admin on windows is similar to having sudo rights on linux. It can be used to access personal files and running sessions of other users on the same machine, to install malware that will affect other users, to change drivers, to block AV or GPO policies from being applied to protect them, etc.


Local admin just makes the life of IT guys more difficult. It's why we don't give it out to your typical "worker drone" employees because they'll manage to install many flash players that want to admin escalate....


I've found the opposite, that for the most part people just want to be able to do their job and sometimes they need administrator rights for that, and it is incredibly annoying and frictionful if they need to contact IT every time. Since workstations are almost always 1:1, we don't consider whatever advantages local admin might provide an attacker to be worth the extra friction caused by disallowing it.


I think we all realize that you don't need admin privileges to do harm. Simply having any kind of access is sufficient. But if you want to install a system wide keylogger to get access to bank/finance logins, for e.g.. admin privs help.


Eh, not as much as you'd think. I've written keyloggers. In the XP days running a keylogger under local admin ensured you'd get everything, but that stopped working around the time of Vista. So now what you have to do is launch your keylogger process in the user session context anyway. Admin access would just get you the ability to do it to more than just the initially compromised account, but in my experience workstations are 1:1 so that doesn't really get you anything.


Hmm, don't you need SeDebugPrivilege to access the process space of another process launched by the same user account?


no it does not!

the issue is this file has W permission for all users


"It rather involves being on this side of the airtight archway"

you can't write there without elevating. at which point you can just register stuff to run as you wish.


Steam also stores your credentials world readable on the file system, I reported it I think in 2016 and they just said it was a limitation. I know Epic Games takes security more seriously than Valve at least.


As I understand it, there's no way to have the feature of "remember me" on the login box allow skipping 2FA without this. Anywhere they could put it while still allowing a no interaction login would be just as vulnerable.

The primary way of attack was to trick a steam user into either uploading the token file directly, or trick the user into running an executable that uploaded it silently. If you're already tricking the user into running an executable you design, there's not much left that can be done to stop this since such an executable could reach inside the running steam process and read whatever data it likes.


The attack here is simply another login on the same machine can get the token. I think that’s how I discovered it, I logged into another account on my machine and Steam logged in using my other account on start up with out asking me to login again.

I should also mention the trend towards these Vault services to store secrets is even worse, as that they effectively make all secrets on a machine world readable since an off box service can’t determine what user is making the request. And the trust on first use idea is lacking in most implementations and vendors like HashCorp in fact don’t want to add it anymore since apparently their users had problems using it and would lock their apps out by accident. So... yeah.


Signed and public-key-encrypred tokens


Plus, use Windows' Protected Storage Subsystem (which has been around forever) to at least lock the tokens to a specific Windows account/user. No need for a machine-wide readable file even if the tokens were signed and encrypted.


Seeing how Epic was caught uploading a copy that file (also contain friend list and wish list) for untold purpose (officially to import friends while bypassing steam api). I don't think they deserve any praise.


Opening, not uploading.


Copying not uploading.


Do you have more details on this?


I am glad someone is finally paying some attention to the multiuser security of Steam. The fact that it makes its whole program directory world-writable is ridiculous. I really hope these bugs get corrected because as it is, Steam cannot be safely used in multiuser environments.


Valve in general seems to be vague on the entire concept of multi-user. They have a family plan where you can share your library with your family, but with the limitation that only one member of the family can be playing a game at once.

Even if you are trying to play two different games Steam will try to kick one of the players off. It seems like they think a "family" is a family of computers that one single person might want to access. I get that they might be concerned that someone sets up a Steam account for their entire floor of the dormitory or something, but wouldn't a sensible limit be more like 5 instead of 1, with the additional limitation of only one copy of a particular game at once? Plus the ability to buy multiple copies of a game for a single library if you want? Netflix, Amazon Prime Video, Hulu, etc... all figured this out, why can't Valve?


I agree that Family Sharing could be less restrictive but it's not quite as bad as you describe. You're already limited to the number of "Family" accounts on a single system, and I believe also to the number of systems where a given account can be "Family enabled". I also hasten to point out that it's arguably the least restrictive sharing system of any digital storefront on PC or any console.

Also, you can buy licenses for a game on more than one account. If sharing is enabled for accounts A, B, and C on a set of computers, C can use a license from A or B, if both own the game. The trick is that it tries to use the license of the person who enabled sharing most recently. So if A enables sharing, then B, but B is currently playing a game, it won't let C play a game that both A and B own. You can log in as B and disable sharing, then it will work. Alternately, there are tools to fix this automatically by editing config files -- and in retrospect, they probably work because of the security flaws mentioned in an earlier thread...


> Steam cannot be safely used

Why I have a separate gaming only computer... no banking, no work, no social media, nothing but game platforms.

In fact, it's the only computer I run Windows on.


I agree the situation with Steam is not good on Windows. It’s already in a very privileged position because it can take full control of the screen with overlays, access controllers, and silently install games, all without the user ever seeing a single UAC prompt. I doubt those functional aspects will change in future.

I’m glad the issues are getting more attention and hope Valve finds effective ways to harden their client. This is needed despite the walled garden they have.


Steam allows you to stream games from other network PCs. I found it interesting that you could stream games and sometimes glitch out of the game but still keep full control of the desktop. Odd, because steam makes a wonderful RDP-like client. Concerning, because i never entered my password for that computer.

I turned off remote streaming after that happened. Author of this paper is right for disclosing


You do have to log into Steam with the same account on both PCs, don't you?

Personally I find it annoying that it doesn't have a fallback whole-desktop mode, since some game launchers (eg Minecraft) interact very badly with Steam streaming, and Microsoft insist on turning RDP off on consumer editions. You can fake it by installing Notepad as a "third party game", but it's not entirely reliable.

I ended up using Nvidia+Moonlight to stream Minecraft.


The behavior seems to vary between the PC Steam program and the Steam Link app on other devices. The Steam Link app will fallback to whole-desktop, allowing you to exit Steam Big Picture and what not.


You can even start streaming the desktop directly. AFAIK there is a setting for that.


If you are interested in software that has the same functionality but is much more reliable, I would highly recommend Parsec. It's free.


Rehash:

- Steam has a privileged service, users can start/stop it.

- Steam's service resets a bunch of registry subkey ACLs under [HKLM\...\Valve\Steam] at startup

- Steam's service gives unprivileged users read/write access to its own keys

- Steam lets unprivileged users write to this area of the registry

- Steam's service follows registry symlinks

This is terrible. Any multi-tenant machine with Steam installed is affected and should be considered compromised.


It's actually even worse than that, OP's exploit only scratches the surface of what's wrong with Steam's security model on Windows. The whole program directory is world writable including the Steam service binary which runs with local system permissions, and it's been this way for YEARS. See: https://news.ycombinator.com/item?id=20633929


Yeah, I just saw that today. I don't know what to say.


Quite a sad ending for a security vulnerability that can probably be fixed by correcting a few permissions.

Sayinf privilege escalation doesn't count because you need to place a file on the file system is a nonsense excuse. It's saying "yeah well it's not our problem that we give a process full system rights because the user already opened something else in low privilege mode".


Saying you need to drop a file is a sad excuse. Especially when you don't need to. I see no reason why you couldn't use the suggested exploit. Changing the HKLM\SYSTEM\ControlSet001\Services\msiserver ImagePath to the path of cmd.exe should pop you up a system shell. With no files dropped.


Nitpick: Changing registry keys is a file operation.


Technically, changing a registry key changes bytes within a large file, yes.

But in practice, the only way to change registry keys/values is by going through the registry APIs provided by Windows; I certainly wouldn't consider registry operations as file system operations.


I've been running Steam on a non-admin account for awhile now. I can't recall a game that actually needed admin permissions to install and run. Some games will continue to try on every run but after the no admin error it runs fine anyway.

I'm on Windows 10. It's possible I've already installed the required Visual C++ runtimes.


I turned Windows Ransomware Protection (aka Windows Controlled File Access) on for my Steam directory [0] as an immediate paranoia stopgap [1] while I debated moving it to its own non-admin account, but privilege escalations like these remind me that something like Controlled File Access may still need to be in place to prevent Steam being a malware/worm distribution vector simply by continuing to be a World-Writable Jungle of EXEs in 2019.

I'm thinking the next step (for me at least) is not isolating Steam into its own non-admin account, but to its own entire VM.

[0] Which has been a "fun" metagame since doing that. Game developers are horrible children at security permissions and the whack-a-mole necessary to allow access exceptions for games inside that space is quite incredible and sometimes disturbing. For instance, some games have six or seven EXEs for no clear, discernable reason. Some games love randomly copying EXEs to temp spaces before running them (often downloaders and launchers, but the fun ones are those with no clear downloader nor launcher but still running EXEs from %LocalAppData%\Temp).

[1] Password cracking attempts on my Steam account got really disturbing/absurd. The weak link seems to be a Steam Web API that Steam claims has enough botnet protection, but Steam customer support of course tells me that the problem must be at my end due to malware. So of course, that lead me to "proving" that it can't be malware on my end in part by locking Steam down as much as possible.


There is a steamservice.exe (or similar). It gets admin during install.


Right but as far as I'm aware this isn't needed for games to install and run. If you disable it, Steam complains but runs anyway.

Of course it probably breaks some Steam services but apparently not ones I use.


Only if you install the games outside "Program Files".


Not true. You can install games even with the service disabled, since the Steam program folder permissions allow any user to write files there (and that's where games are installed by default).


Indeed. As I said, I've been doing this for awhile now so this isn't merely a theoretical for me.


Yes. But the service was enabled and set the permissions.


Pretty shitty of HackerOne to forbid the disclosure of a non-vulnerability. Hopefully there's more to this story.


a "non-vulnerability"


This is concerning, especially as the steam client is a platform for downloading remote code execution-enabled programs.

I can't imagine the number of security vulnerabilities in Steam games. Most games require invasive anti-cheat services that are connected to a command-and-control sever with full RCE capabilities (and RAM dumping/analysis, etc).

If you want a specific example, take Unreal Tournament (1999) on steam: this is an old game, yet its security practices remain unchanged. Most public servers I tried to connect to pushed dlls on my computer, that were then loaded by the game executable, to provide a variety of mods, anti-heat services, and more.

That means anyone hosting a UT99 has RCE and privilege escalation capabilities on any client that connect trough Steam, without even trying hard. More concerning is the fact that games are a very specific medium: robustness/security is often not the primary concern, most are networked, and few are patched [a few ears] after release, yet remain launched on a regular basis for decades to come. Moreover, newer games tend to push resource usage too much for elaborate sandboxes.

That's the reason why I run Steam trough flatpak's sandbox: at least, it, or games, don't have access to my filesystem. I still have concerns over the login token, though. Wayland does provide some extra protection against potential keyloggers/others, but I wish Steam itself was constructed like a browser, sandbox-wise.

(yes, the remote dll loading happened on Linux, trough wine/proton, a testament to the engineering of these compatibility layers).


Thanks for the disclosure, and if Steam users gets attacked because of their irresponsibility then it's on Valve. The author did was l what they reasonably could to get this fixed the easy way before the hard way.

Hopefully they'll learn from it and act more professionally and increase their payout if they want security researchers to take them seriously in the future.


I've also had some similarly bad experiences reporting vulnerabilities to managed HackerOne campaigns. I'm guessing the HackerOne staff is primarily trained to judge web vulnerability reports. Anything beyond that often triggers odd followup questions or even a rejection like in this case.


I usually report directly to the company anyway which escalate it with HackerOne if they aren’t dysfunctional.


How come both of the comments discussing the way HackerOne handled this are [dead]?

Neither account seems to be banned, both comments seem perfectly fine.


Sorry about that, those posts were killed by some overzealous anti-spam software which we've just pacified.


Normally I do not care too much about comments marked as [dead]. But why is it that all comments in this submission that critique HackerOne are being killed?

I'm now somewhat curious is this comment will be hit with wathever hit the other (at the time of writing) four comments.


HN gets constant spam from scammers advertising “hacking services”, the antispam system likely confused HackerOne comments with those.

(perhaps this comment will get autokilled too)


> Here I realized that Valve has no interest in EoP vulnerabilities.

... surprise? Of course not. Neither do 99% of their users.


Users of peanut butter shouldn't have to think about whether it contains glass and razors.


Just assume Windows does not have privilege separation, don't rely on it. The way things are on Windows is convenient, especially with all the legacy software, but don't rely on it to protect users from eachother.


But Windows does have strong separation between processes running in separate sessions. Steam actively goes out of its way to undermine this by giving all users permission to directly control a service with system level privileges.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: