[Ars Technica] Severe local 0-Day escalation exploit found in Steam Client Services

Rvaan

Member
Oct 25, 2017
12,082
Earlier today, disgruntled security researcher Vasily Kravets released a zero-day vulnerability in the Windows version of the ubiquitous gaming service Steam. The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.

The vulnerability lies within Steam Client Service. The service may be started or stopped by unprivileged users. This becomes a problem because, when run,Steam Client Serviceautomatically sets permissions on a range of registry keys. If a mischievous—or outright malicious—user were to symlink one of these keys to that belonging to another service, it becomes possible for arbitrary users to start or stop that service as well. This becomes even more problematic when you realize that it's possible to pass arguments to services that run under extremely privileged accounts—such as msiserver, the Windows Installer service.
 

Razgriz417

Member
Oct 25, 2017
2,660
holy fuck. please tell me it's been fixed
nope its out in the wild because it kept getting rejected
With this second rejection, Vasily decided there was no further recourse but public disclosure, and he informed HackerOne that he would disclose after July 30. He alleges that on August 2, yet another HackerOne employee forbid the disclosure of the vulnerability, despite HackerOne having closed it repeatedly as out-of-scope while Valve itself never weighed in one way or the other.
 

Gentlemen

Member
Oct 25, 2017
3,669
we talked about this in discord.
method 1: "get local access, download regin64.exe and monkey with the registry"
method 2: "get local access, run regedit.exe and monkey with the registry"
the vulnerability doesn't seem that bad on the face of things. both of the methods of execution seem to require the ability to run a privileged executable that can modify your registry, which would 100% trigger UAC before the steps to repro the exploit will work.

they should still fix it, but it requires a prior breach in your pc's security.
 

finalflame

Product Management
Verified
Oct 27, 2017
2,423
I wonder how many people jumping in with hot takes actually understand the first thing about what’s going on here.

Either way, Valve should fix this.
 

Raccoon

Member
May 31, 2019
730
I wonder how many people jumping in with hot takes actually understand the first thing about what’s going on here.

Either way, Valve should fix this.
oh pardon me, but as an uninformed simpleton “The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.” sounds bad

forgive me and my fellow plebeians for basing our perspectives on the matter solely on the article presented

Edit: please, I implore you, enlighten us tech proletariat as to why this issue solicits neither an “oof” nor an “uh oh”
 

BronsonLee

it me
Member
Oct 24, 2017
16,076
I wanna unpack a few things here for the exploit mentioned in the article. Keep in mind I could be way off the mark on things.

RE: The exploit itself, it looks like it requires either local admin access, or admin access period. That makes the exploit much less of a 'oh my god run away' and more of a 'don't install anything you don't recognize' kind of thing. It's not going to be the thing that blows the doors open, but it's another bullet in the gun if someone wants the whole thing after getting admin access somehow.

RE: a fake game putting this exploit on your PC, while I suppose that's possible, I generally think that would never make it on Steam proper, so you'd have to be getting it from elsewhere.

RE: the timeline:

The vulnerability demonstrated here is only 45 days old. Normally, publicly disclosing an exploit this quickly would be a big no-no in the Infosec community—the typical grace period for response is 90 days. In this case, it's difficult to point any blame to the researcher. Upon first reporting the bug via HackerOne, it was rejected as out-of-scope, with «Attacks that require the ability to drop files in arbitrary locations on the user's filesystem» as the reason given.
The attack does not require any file to be dropped anywhere or any special privileges. Although we downloaded regln-x64 to make the proof of concept prettier, I could have accomplished its task—symlinking registry keys—directly inside regedit.exe.
When the researcher argued with HackerOne's staff, a second HackerOne employee eventually reproduced the exploit, confirmed the report, and sent it off to Valve. But a few weeks later, a third HackerOne employee rejected it again. The employee reiterated «Attacks that require the ability to drop files in arbitrary locations on the user's filesystem» and added «Attacks that require physical access to the user’s device» as reasons the vulnerability is supposedly out-of-scope.
Rejected
The second reason for rejection is no more valid than the first: a malicious "game" developer could easily create a free-to-play "game" which reproduces all the steps of this exploit. Such a bad actor could pop a shell with LOCALSYSTEM privileges and own the user's machine.
With this second rejection, Vasily decided there was no further recourse but public disclosure, and he informed HackerOne that he would disclose after July 30. He alleges that on August 2, yet another HackerOne employee forbid the disclosure of the vulnerability, despite HackerOne having closed it repeatedly as out-of-scope while Valve itself never weighed in one way or the other.
So best as I can see:

ISR reports bug via HackerOne (likely through their bug bounty program, AKA they get paid for reporting these things)
HackerOne rejects the first attempt, with reasoning I would note as iffy. This can happen sometimes with bug bounty programs, as they mainly want knock down drag out major exploits.
ISR and HackerOne start arguing, HackerOne independently reproduces exploit, sends it to Valve for approval/fix
Weeks later, HackerOne rejects it again, for another odd reason
ISR says he's going to publicly disclose, HackerOne forbids it and tries to block the disclose. I'm iffy on whether this actually happened.
ISR publicly discloses exploit, in about half the time you're supposed to. That's ringing an alarm bell for me, as most of them will wait. This feels a bit personal.

So TLDR;

The exploit is bad, but requires admin access, so if you're getting hit with it, you were likely already toast
This thing got disclosed way too early because of infighting between an ISR and a bug bounty program possibly being stubborn and not wanting to pay out
I am a freaking dork
 

low-G

Member
Oct 25, 2017
6,013
Good opportunity to say what a scam HackerOne is. (Where this exploit was submitted and why the person became disgruntled)

Seems like a scam site that doesn't want to pay out.
 

AntiMacro

Member
Oct 27, 2017
1,290
Alberta
we talked about this in discord.
method 1: "get local access, download regin64.exe and monkey with the registry"
method 2: "get local access, run regedit.exe and monkey with the registry"
the vulnerability doesn't seem that bad on the face of things. both of the methods of execution seem to require the ability to run a privileged executable that can modify your registry, which would 100% trigger UAC before the steps to repro the exploit will work.

they should still fix it, but it requires a prior breach in your pc's security.
I wonder how many people out there got tired of 'do you want to allow' pop up messages and disabled UAC long ago.
 

Gentlemen

Member
Oct 25, 2017
3,669
I wonder how many people out there got tired of 'do you want to allow' pop up messages and disabled UAC long ago.
looked further into it.
regln-x64.exe definitely triggered a SmartScreen warning but not a UAC one, as the article mentions, but yeah the exploit appears to mostly amount to 'here's how to permanently damage your ability to install anything onto your computer.'

don't disable UAC/SmartScreen then download and run unsigned binaries, kids. and drink your milk.
 

strongsauce

Member
Oct 28, 2017
26
where are you guys seeing that this will activate UAC or you need admin privileges? looks like the exploit does not trigger UAC and only needs an executable that can modify regedit to trigger the exploit

I did this test on a clean Windows VM; aside from Steam itself, the only code I needed to download was regln-x64.exe, a simple utility for the linking of registry keys which requires no installation. Windows User Account Control was never triggered during this process, and the whole thing only took a few minutes. I did not have any Steam games installed, so I just monkeyed with the Steam installer.
 

Schlorgan

Member
Oct 25, 2017
5,114
Bountiful, Utah
oh pardon me, but as an uninformed simpleton “The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.” sounds bad

forgive me and my fellow plebeians for basing our perspectives on the matter solely on the article presented

Edit: please, I implore you, enlighten us tech proletariat as to why this issue solicits neither an “oof” nor an “uh oh”
Savage.

I like it.
 

BronsonLee

it me
Member
Oct 24, 2017
16,076
Good opportunity to say what a scam HackerOne is. (Where this exploit was submitted and why the person became disgruntled)

Seems like a scam site that doesn't want to pay out.
Normally I would disagree (bug bounties don't have unlimited budget, after all), but the fact that they independently verified and reproduced the exploit and ended up sending it to Valve gives me pause.

don't disable UAC/SmartScreen then download and run unsigned binaries, kids. and drink your milk.
ALMOND MILK IT IS

Sure no prob
 

Kuga

The Fallen
Oct 25, 2017
639
After reading through the article at https://amonitoring.ru/article/steamclient-0day/ , these are my thoughts:

1.) If the H1 / Valve Security team stuff is true, shame on them for dismissing this problem. Regardless of the prerequisite needed for the exploit to function, it is still a significant security oversight for an application installed on millions of computers. There is no excuse for a billion dollar company not to have acknowledged and corrected the issue in the 45 day disclosure window that was provided by the author. I hope it was a miscommunication/oversight and not willful disregard for the issue.

2.) All that said, there is a rough requirement for this exploit to function -- an attacker requires user level privileges to initiate the privilege escalation exploit. This means that they must already have some minimal foothold on the machine (for example, as having a user run a malicious executable with this exploit payload included). The exploit is dangerous specifically because it allows an attacker to use this flaw to effectively gain administrator permissions from userland and then they basically own the system.

3.) It should be relatively straightforward for Valve to fix, and for antimalware vendors to write a signature to mitigate the attack, and many heuristics / machine learning endpoint defense layers probably already block this exploit based on its behavioral pattern.

Severity of the bug: 9/10
Exploitability of the bug: 5/10
Valve's response to the bug: what the fuck are you doing / 10.
 

AntiMacro

Member
Oct 27, 2017
1,290
Alberta
looked further into it.
regln-x64.exe definitely triggered a SmartScreen warning but not a UAC one, as the article mentions, but yeah the exploit appears to mostly amount to 'here's how to permanently damage your ability to install anything onto your computer.'

don't disable UAC/SmartScreen then download and run unsigned binaries, kids. and drink your milk.
I'll run unsigned binaries if I want to, you're not my mom.

~ guy whose mom was a sysadmin, probably
 

saci

Member
Oct 25, 2017
2,335
Weird as hell that they ignored and rejected it, as they're one of the companies that pay the most to people that find exploits and stuff. Really wanna hear what they have to say about it.
 

Gentlemen

Member
Oct 25, 2017
3,669
After reading through the article at https://amonitoring.ru/article/steamclient-0day/ , these are my thoughts:

1.) If the H1 / Valve Security team stuff is true, shame on them for dismissing this problem. Regardless of the prerequisite needed for the exploit to function, it is still a significant security oversight for an application installed on millions of computers. There is no excuse for a billion dollar company not to have acknowledged and corrected the issue in the 45 day disclosure window that was provided by the author. I hope it was a miscommunication/oversight and not willful disregard for the issue.

2.) All that said, there is a rough requirement for this exploit to function -- an attacker requires user level privileges to initiate the privilege escalation exploit. This means that they must already have some minimal foothold on the machine (for example, as having a user run a malicious executable with this exploit payload included). The exploit is dangerous specifically because it allows an attacker to use this flaw to effectively gain administrator permissions from userland and then they basically own the system.

3.) It should be relatively straightforward for Valve to fix, and for antimalware vendors to write a signature to mitigate the attack, and many heuristics / machine learning endpoint defense layers probably already block this exploit based on its behavioral pattern.

Severity of the bug: 9/10
Exploitability of the bug: 5/10
Valve's response to the bug: what the fuck are you doing / 10.
quality writeup 10/10
 

Reinhard

Member
Oct 27, 2017
2,616
So it sounds mostly like a problem for people who run pirated software/cracked exe/a sketchy as hell fake trainer/fake mod from a random website, as a typical user wont give access to some unknown file that can edit the registry.
 

BronsonLee

it me
Member
Oct 24, 2017
16,076
So it sounds mostly like a problem for people who run pirated software/cracked exe/a sketchy as hell fake trainer/fake mod from a random website, as a typical user wont give access to some unknown file that can edit the registry.
Never assume whether a typical user will or won't do something lmao

They could do anything for any reason they don't know any better
 

mutantmagnet

Member
Oct 28, 2017
7,752
Saying the security expert was disgruntled without giving a hint to why can lead to mischaracterization.


When the researcher argued with HackerOne's staff, a second HackerOne employee eventually reproduced the exploit, confirmed the report, and sent it off to Valve. But a few weeks later, a third HackerOne employee rejected it again. The employee reiterated «Attacks that require the ability to drop files in arbitrary locations on the user's filesystem» and added «Attacks that require physical access to the user’s device» as reasons the vulnerability is supposedly out-of-scope.

Rejected
The second reason for rejection is no more valid than the first: a malicious "game" developer could easily create a free-to-play "game" which reproduces all the steps of this exploit. Such a bad actor could pop a shell with LOCALSYSTEMprivileges and own the user's machine.

With this second rejection, Vasily decided there was no further recourse but public disclosure, and he informed HackerOne that he would disclose after July 30. He alleges that on August 2, yet another HackerOne employee forbid the disclosure of the vulnerability, despite HackerOne having closed it repeatedly as out-of-scope while Valve itself never weighed in one way or the other.

Ars has reached out to Valve about this story, and we will update with any response.

I don't get why his superiors didn't think this was serious enough though I wish we didn't have to get to this point.
 
Nov 14, 2017
1,792
we talked about this in discord.
method 1: "get local access, download regin64.exe and monkey with the registry"
method 2: "get local access, run regedit.exe and monkey with the registry"
the vulnerability doesn't seem that bad on the face of things. both of the methods of execution seem to require the ability to run a privileged executable that can modify your registry, which would 100% trigger UAC before the steps to repro the exploit will work.

they should still fix it, but it requires a prior breach in your pc's security.
This is a privilege escalation vulnerability. The linked article states that it totally bypasses UAC. The point is that Steam itself is a platform for delivering code to users, and so in theory it a prime target for these kinds of vulnerabilities. Valve should take this more seriously.
 

Reinhard

Member
Oct 27, 2017
2,616
Never assume whether a typical user will or won't do something lmao

They could do anything for any reason they don't know any better
True, I pray my sister isn't a typical user. I haven't checked her current laptop, but awhile back I fixed a desktop she owned and it was full of spyware/malware/viruses.... I would hope people would be smarter than clicking and granting access to an unknown file that causes their entire screen to go dark with a warning, but the desire for free pirated games and quick access to a randomly googled trainer overrides common sense.
 

SapientWolf

Member
Nov 6, 2017
2,844
So there are no LOCALSYSTEM Windows native services that automatically set permissions on registry keys, and Steam is a necessary component of the pwn?
 

senj

Member
Nov 6, 2017
1,050
This exploit lets any running program take over your machine if Steam is running.

If you wanted to be malicious, you could distribute a free game on Steam with this exploit hidden inside it and know you were hitting vulnerable machines.
Worth noting that a free game distributed in Steam could already do this, likely without a UAC prompt depending the user’s settings. This just guarantees that no one would see a UAC prompt, settings be damned.
 

data

Member
Oct 25, 2017
1,150
Worth noting that a free game distributed in Steam could already do this, likely without a UAC prompt depending the user’s settings. This just guarantees that no one would see a UAC prompt, settings be damned.
Wouldn't steam run an antivirus/scan on game files before being distributed?
 

DammitLloyd

Member
Oct 25, 2017
178
So how do they install the program to your system that gives them access? They can do it from their end without you doing anything but keeping Steam on? Or you, yourself would have to download something that has the program included?
 

Ploid 6.0

Member
Oct 25, 2017
5,570
I turned my UAC off, do I need to turn it back on? I only did it because I hate that pop up every time I did stuff.

Is there a way to deny Steam this high level access to the system?
 

senj

Member
Nov 6, 2017
1,050
I turned my UAC off, do I need to turn it back on? I only did it because I hate that pop up every time I did stuff.
This is a privlege escalation vulnerability, so it bypasses UAC even if you have it on.

Mind you with UAC turned off, everything you run is a privilege escalation vulnerability. So really for you it doesn’t matter if Steam fixes this, because you’ve chosen to always be vulnerable.
 
Nov 14, 2017
1,792
Worth noting that a free game distributed in Steam could already do this, likely without a UAC prompt depending the user’s settings. This just guarantees that no one would see a UAC prompt, settings be damned.
I think they would have to have UAC completely disabled in order for them to not get a prompt when an app tries to get LocalSystem.

So how do they install the program to your system that gives them access? They can do it from their end without you doing anything but keeping Steam on? Or you, yourself would have to download something that has the program included?
The most likely way would be hiding the malware in a 'free' game delivered via Steam. That's actually what makes this a little scary - Steam is a vector for delivering code to your computer, and some wires must really have been crossed for Valve to not take this seriously.
I turned my UAC off, do I need to turn it back on? I only did it because I hate that pop up every time I did stuff.

Is there a way to deny Steam this high level access to the system?
You should never ever turn UAC completely off. What version of Windows are you on and what did you set it to?
 

Ploid 6.0

Member
Oct 25, 2017
5,570
This is a privlege escalation vulnerability, so it bypasses UAC even if you have it on.

Mind you with UAC turned off, everything you run is a privilege escalation vulnerability. So really for you it doesn’t matter if Steam fixes this, because you’ve chosen to always be vulnerable.
Ok, this scared me into turning it back on. I had like 4 malware antiviruses and things running at one time but I saw that having those even allow for vulerabilities that get in through the defending app so I just use Windows Defender and antispyware with an occasional malware scan and such. There's always a war, but I really should start fiddling around with Linux soon just for fun and to get used to it for games that work on it. All I need for PC is games, youtube, netflix, and the ability to mod games.

You should never ever turn UAC completely off. What version of Windows are you on and what did you set it to?
Windows 10, I doubt I ever got effected with anything serious though, unless the defense apps don't tell me after scans and such.
 

ForgedByGeeks

Member
Dec 1, 2017
503
Woodinville, WA
So here's the deal.

This is a 0 day vulnerability. What that means is that virus scanners cannot detect this exploit.

That means any auto-scanning of apps going up to any service, Steam or otherwise, can have this exploit inserted and not be detected.

If Steam is on a computer, this can be exploited.

This is an escalation of priviliage exploit. This means any app, even one without admin priviliages, can leverage this vulnerability to behave as though the user of the PC gave them admin privileges.

In other words, any app on a PC with Steam can use this to do anything to the computer.

This is especially bad because Steam distributes apps. Steam also auto-updates these apps by default without users doing anything.

Worst case scenario is a malicious actor (game developer working on a game published to steam) inserts the exploit hidden in an update that gets published to Steam. Since this is a 0 day vulnerability, the exploit would not be caught uploading to Steam. Steam would auto-update the game for all users, thereby installing the exploit on their systems. The game, as part of installing the auto-update, could initialize the exploit as part of the installer. Thus, even without the user running an updated game, the malicious software could install itself.

Once installed, because it is now Admin, it could block fixes from being applied (outside of Microsoft's Malicious Software Removal Tool that goes through Windows Update). Thus it can now make itself undetectable and do whatever it is it wants to do.

So what it comes down to is, do you have any games installed by a company with a malicious actor that can rapidly code in an exploit that gets shipped in an update to Steam. If not, you are fine. Most people will be fine.

But I am sure some people have games installed that already behave poorly because of ad services or other garbage included. Many times the ad services themselves are run by malicious companies that try to get people to click on ads that will exploit vulnerabilities. Now these same companies could push an update for their services to a ton of games to try to exploit your system directly. This is the real risk in my view.