Severe 0 day security flaw found in Steam

[gueboom]

A researcher by the name of Vasily Kravet published a vulnerability found in steam windows version. Allegedly he passed his findings to HackerOne one for review who then reported it to steam. Steam dismissed his findings as non applicable. The vulnerability allows access to the registry which then " allows third parties to escalate their privileges to system-wide admin access". Currently this vulnerability is wide open and has not been addressed.

 

Honestly with all the recent security vulnerabilities going around, I would have rather the researcher bring attention to this issue without actually publishing the workings of the 'hack'. I know it would be hard but with the recent coverage of this issue, it just makes more people, maybe some bad actors, notice the hack and get around to actually doing something malicious. In the end until valve formally patches this, it is best if people be cautious of what they download on steam, especially free/low cost games since it is one of the more likely vectors of attacks. That and of course be cautious of emulators/patches/cracks like smartsteam emu and cracked steam games in general.

 

Source: https://amonitoring.ru/article/steamclient-0day

[Radium_Angel]

A more in depth article can be found on a non-russian site here

 

https://arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/

 

[PHYLO]

ArsTechnica's article.

 

https://arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/

[PHYLO]

Just now, Radium_Angel said:

A more in depth article can be found on a non-russian site here

 

https://arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/

 

Woah, you beat me to it by a few sec. lol

[Radium_Angel]

Just now, PHYLO said:

Woah, you beat me to it by a few sec. lol

I'm good like that

[PHYLO]

5 minutes ago, VegetableStu said:

i can't code this far to save anyone's life, but when is it "user was a dick" and when is it "program has issues with really silly and specific commands"? o_o

Right there with ya.

[Radium_Angel]

34 minutes ago, VegetableStu said:

i can't code this far to save anyone's life, but when is it "user was a dick" and when is it "program has issues with really silly and specific commands"? o_o

(Ex programmer here, from the mainframe days, so take that into consideration)

 

The program (Steam) as I understand it, runs roughshod over some directories it has no business doing, and thus opens up a vector for a bad programmer to do bad things to your PC, simply by installing a game which contains code to exploit the permissions issues.

 

It *sounds* like both parties were at fault here, Steam for ignoring the issues (or given insufficient time to handle it) and the researcher for not giving Steam enough time, but in cases such as these, it's often a "he said she said" kind of issue, until further evidence can be uncovered/issued.

 

The problem as I see it is a lack of oversight on Valve's part about what is allowed into their storefront. This has been discussed in depth on YT and elsewhere, but it seems trivially easy to exploit, and that's not a good thing...

[Flying Sausages]

Tldr

So my account is going to get hacked? 

[rcmaehl]

Is this the Steam EoP (escalation of priviledge) exploit that Steam doesn't want to fix? 

If so, I can promise you it's one of many.

 

 

[ravenshrike]

16 minutes ago, OlympicAssEater said:

Tldr

So my account is going to get hacked? 

That really depends on how much Steam shovelware you buy. Really the only possible vector that this might be exploitable in unless you do buy such shovelware, is if Steam workshop mods can execute the needed commands.

[Radium_Angel]

3 hours ago, OlympicAssEater said:

Tldr

So my account is going to get hacked? 

If a bad actor wants into your system via this exploit, it won't be to steal your Steam credentials, it'll be to use your system as a botnet, or throw on a cryptominer, or ransomware.

 

I'd be careful about what games you install from now until this gets patched (if at all)

[Delicieuxz]

8 hours ago, Radium_Angel said:

A more in depth article can be found on a non-russian site here

 

https://arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/

The article linked to in the OP is the original source for the discovery and reporting of the vulnerability, made by the person who found it. The Ars article is only talking about what the Russian site in the OP discovered, and the Ars article is not more in-depth than the original source. The Ars article is almost entirely simply relaying what the Russian source says, but in a simplified and streamlined manner.

 

Why would somebody want a non-Russia-based site for a news article, just to have a non-Russia-based site for a news article? It sounds like you have some prejudice issues that are not under control.

[Arika]

4 minutes ago, Delicieuxz said:

Why would somebody want a non-Russia-based site for a news article, just to have a non-Russia-based site for a news article?

guy who did the "hack" is russian, site is russian, therefore that site is already hacked and will steal all your rubles!!!!

 

Spoiler

/s

 

[Delicieuxz]

7 hours ago, Radium_Angel said:

It *sounds* like both parties were at fault here, Steam for ignoring the issues (or given insufficient time to handle it) and the researcher for not giving Steam enough time, but in cases such as these, it's often a "he said she said" kind of issue, until further evidence can be uncovered/issued.

HackerOne officially handles Valve's Bug Bounty Program: https://hackerone.com/valve

 

It was 3 weeks after the discovery had been submitted by HackerOne to Valve that HackerOne, for the second time, told the person who discovered it, Vasily Kravets, that the exploit is non-applicable and also told them to not tell anyone else about it. So, HackerOne telling the person who discovered it that the exploit is not relevant and to drop it without telling anybody about it sort of seems like it's Valve saying they aren't doing anything with it and that they want it to remain undetected.

 

Vasily Kravets questions whether the exploit is a deliberate backdoor:

Quote

Oh... What if there is no coincidence and the behavior is insecure by design? What if the Steam is a kind of legal backdoor? It is impossible to convict Valve, but putting all the facts together:

 

1)      There is the vulnerability, which is easy to exploit and reliable works, providing high rights. And it seems like not only one, according to this twitter thread https://twitter.com/enigma0x3/status/1148031014171811841.

 

2)      It is easy to find the vulnerability. I am not sure that I'm first who has found it, but the first one who wrote about it.

 

3)      Valve declined the report about the EoP vulnerability and same ones. Moreover, the scope of incoming reports specially reduced to exclude EoP-reports.

 

As for me, it looks like Valve wants these EoP vulnerabilities to be present in the software.

 

[Fnige]

6 minutes ago, Delicieuxz said:

HackerOne officially handles Valve's Bug Bounty Program: https://hackerone.com/valve

 

It was 3 weeks after the discovery had been submitted by HackerOne to Valve that HackerOne, for the second time, told the person who discovered it, Vasily Kravets, that the exploit is non-applicable also told them to not tell anyone else about it. So, HackerOne telling the person who discovered it that the exploit is not relevant and to drop it without telling anybody about it sort of seems like it's Valve saying they aren't doing anything with it and that they want it to remain undetected.

 

Vasily Kravets questions whether the exploit is a deliberate backdoor:

 

*quoot*

um... So i have to choose either epik or stem

 

Epic. Is a bit of a butt, Barely any features and i already have games on steam

 

Steam. VUNERABILITES, knock-offs and EA style games

 

God, companies, BE GOOD

[Radium_Angel]

28 minutes ago, Delicieuxz said:

Why would somebody want a non-Russia-based site for a news article

Because many work places have .RU sites firewalled...

[realpetertdm]

9 hours ago, Radium_Angel said:

A more in depth article can be found on a non-russian site here

 

https://arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/

 

From what I'm reading Valve never actually weighted on the issue - HackerOne employees were the ones that dismissed his findings, not Valve. But other users are saying that Valve is at fault here... so I'm just really confused right now. Was it Valve or HackerOne?

[colonel_mortis]

@gueboom please can you update your post to fit with the Tech News Posting Guidelines

In particular, your post needs to include your own personal input on the story. It would also be appreciated if you could make sure that your source link works as a link - it is supposed to happen automatically, but you might need to force it by highlighting it and using the link button in the editor toolbar.

[Trik'Stari]

9 hours ago, Radium_Angel said:

A more in depth article can be found on a non-russian site here

 

https://arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/

 

To be fair, Ars has more than its fair share of biased reporting.

 

Still, this is a concerning issue. The more sources of information, the better.

[Radium_Angel]

40 minutes ago, realpetertdm said:

Was it Valve or HackerOne?

Until we get more info, I'm inclined to say both were at fault. But that will almost certainly be clarified as time goes by.

[ravenshrike]

1 hour ago, Delicieuxz said:

Vasily Kravets questions whether the exploit is a deliberate backdoor:

Ah, so he's a conspiracy theorist who, on the basis of less than 30 days and conflicting information from a third party, decided that the ebil mastermind Gaben deliberately coded in vulnerabilities into Steam. Wunderbar.

[Delicieuxz]

35 minutes ago, ravenshrike said:

Ah, so he's a conspiracy theorist who, on the basis of less than 30 days and conflicting information from a third party, decided that the ebil mastermind Gaben deliberately coded in vulnerabilities into Steam. Wunderbar.

He initially reported it to BackerOne June 15, and he publicly disclosed it August 7, so that's 54 days that he waited since first reporting it to BackerOne.

 

He also notes in his public report:

Quote

Yesterday (August 6, 2019) Steam was updated. No, problem is not fixed. File versions: 5.27.59.20 signed at 06 Aug 2019.

 

He doesn't say that the exploit is a backdoor, but he questions whether it is on on the basis that he has been told twice by BackerOne, once before it was submitted to Valve and once after it was submitted to Valve, that it is not within the scope of Valve's bug-hunter program. The idea that it could be a backdoor without stating that it is one is just considering the possibilities.

[Flying Sausages]

5 hours ago, Radium_Angel said:

If a bad actor wants into your system via this exploit, it won't be to steal your Steam credentials, it'll be to use your system as a botnet, or throw on a cryptominer, or ransomware.

 

I'd be careful about what games you install from now until this gets patched (if at all)

Any Steam response?

[ravenshrike]

3 hours ago, Delicieuxz said:

He initially reported it to BackerOne June 15, and he publicly disclosed it August 7, so that's 54 days that he waited since first reporting it to BackerOne.

It was 25 days since the 2nd researcher at HackerOne he contacted submitted a report to Valve. Which is basically 19 business days. He's an irresponsible conspiracy theorist getting pissy about being snubbed by HackerOne and reacting like a 3 year old throwing a tantrum.

[ravenshrike]

Lo and behold Steam has release a beta patch to fix the issue in question to the disappointment of whiny conspiracy theorists living in their parents' basement everywhere.

 

 

https://steamcommunity.com/groups/SteamClientBeta#announcements