A security researcher has disclosed a vulnerability in Valve Corporation's Steam client, used by millions of Windows PC gamers, even though it has not been fixed because his report was rejected as "not applicable".
Vasily Kravets' report raises two issues. First, the exploit itself, and second, whether Valve's policy, via its partner HackerOne which handles security reports, is too restrictive with the types of bug regarded as significant.
First, a quick look at the issue. The Steam client installs the Steam Client Service, which "monitors and updates Steam content", according to its description. Any user has permission to start and stop this service. It runs under the powerful "Local System Account", which has "complete unrestricted access to local resources", according to Microsoft.
This Steam service sets security descriptors for registry keys in HKLM\Software\Wow6432Node\Valve\Steam, giving all members of the local users group full control of the keys.
The Windows registry supports symbolic links, where a link in one part of the registry points to another elsewhere. Because of this, you can create a link in the Steam section that points to another key and gain full control of that other key.
The example Kravets uses is the Windows Installer service, which also runs as Local System. With full control of the key, you can change the executable that runs to your own application, which will run with full admin rights and without a user account control (UAC) prompt.
I found a security hole in Steam that gave me every game's license keys and all I got was this... oh nice: $20,000READ MORE
This is called an escalation-of-privilege attack. If you gain access as a standard user on a machine running the Steam client, you can easily escalate your privileges to gain full control of that machine.
Note that a standard user does have access to the registry editor by default (though administrators can lock this down), but non-admin users cannot modify system keys. They can, however, create links in locations where they have permission, such as in the Steam section. The Register tried it, and Steam did indeed give us full control over the target key, allowing us to write files to protected Windows locations as a standard user and without any UAC prompt.
Kravets reported the problem to Valve via HackerOne, complete with a sample that spawned an administrator command prompt, but it was rejected. The scope of issues Valve will look at is listed here. "Out of scope" items include attacks that require physical access to the user's device and "require the ability to drop files in arbitrary locations on the user's filesystem". HackerOne initially claimed that the report fell under the latter category.
Kravets queried this rejection and persuaded someone at HackerOne to try his steps. The report was then sent to Valve, but a few weeks later it was again rejected, this time for both the reasons mentioned above (physical access and dropping files).
Next, the researcher informed HackerOne that he would disclose the vulnerability, since 45 days had passed, whereupon "one more HackerOne employee appears in the thread and forbids the disclosure".
When we looked into this, we soon discovered that Steam also has a vulnerability first reported in 2015, CVE-2015-7985 which is that the Steam install folder is read-write for all users. Since Steam.exe runs on login, a standard user could replace or modify Steam.exe with their own executable and wait for an administrator to log in and execute it.
All this is not a good look for Valve, making it appear as if it is not interested in escalation-of-privilege issues.
Steam security does breach Microsoft guidelines stating that applications "must use strong and appropriate ACLs [Access Control Lists] to secure executable files" and "must reduce non-administrator access to services that are vulnerable to tampering".
We have asked Valve for comment.
Running a gaming PC without local admin rights is frustrating, so it is likely that most PC gamers running Steam have these anyway. That said, they should still see a UAC prompt before an application runs that will modify the system. You should not install Steam on a locked-down PC, and in the unlikely event that a business user claimed to require Steam, administrators should take note of the risk. ®