[Ars Technica] Severe local 0-Day escalation exploit found in Steam Client Services

sangreal

Member
Oct 25, 2017
3,706
oh pardon me, but as an uninformed simpleton “The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.” sounds bad

forgive me and my fellow plebeians for basing our perspectives on the matter solely on the article presented

Edit: please, I implore you, enlighten us tech proletariat as to why this issue solicits neither an “oof” nor an “uh oh”
it mostly affects businesses with locked-down multi-user environments

home users would just enter their password in UAC anyway, making the privilege escalation redundant. I mean, you've already decided to run the malware you downloaded, you're not going to let the UAC popup stop you -- if you haven't disabled it entirely anyway like some supposed "power-users"

windows shipped with a very similar exploit in the task scheduler that was only fixed late last year


Valve should fix their code-- but why in the world are you able to create registry symlinks as an unprivileged user in the first place?
 

DammitLloyd

Member
Oct 25, 2017
184
The most likely way would be hiding the malware in a 'free' game delivered via Steam. That's actually what makes this a little scary - Steam is a vector for delivering code to your computer, and some wires must really have been crossed for Valve to not take this seriously.
Okay so stay away from sketchy looking games for now then. Which I already do anyways.

I remember there was a mod for GTA V that had a virus in it or was it a program that ran in the background that would do bitcoin mining. So they could also distribute it from mods? But that wasn’t from steam, it was from a website. So I wonder if steam workshop mods go through security checks.
 

spad3

Member
Oct 30, 2017
4,325
California
User Banned (1 day): drive-by trolling.
holyyyyyy shiiiiiiiiiiiiiiiiiii how did this happen?!

Turning off start on boot ASAP

Fuckin YIKES.

This is a golden opportunity for EGS to swoop in now.
 

Htown

Member
Oct 25, 2017
6,974
I'm confused, because it seems like there's a step missing here

it was rejected by hackerone, then sent off to Valve by hackerone, then rejected again by hackerone

but if the vulnerability was sent off to Valve at one point, wouldn't you want to wait and see what they did or said about it before disclosing to the public?

this story keeps getting reported as Valve refusing to fix an exploit, but as far as I can tell all the rejections came from hackerone
 

Ploid 6.0

Member
Oct 25, 2017
5,643
holyyyyyy shiiiiiiiiiiiiiiiiiii how did this happen?!

Turning off start on boot ASAP

Fuckin YIKES.

This is a golden opportunity for EGS to swoop in now.
I never enable apps to start on boot unless is a defending app, or my overclock app.

Also there's nothing any other store can gain an opportunity from this on. If you need to run Steam for a game or service you just run it. You shouldn't let stuff like this scare you from doing what you want to do. I have a feeling getting effected from the exploit is very rare if you don't do much more than play games from well known devs, keep to websites that use good ad services that are checked before being pushed to people (I remember a popular FFXI forum had a ad that put keyloggers or something on people's computers and since that day I always use a noscript type app on my browser and slowly enable things or give trusted websites full whitelist).

I don't do much serious banking, or buying on this computer, but the computer I do that on always have multiple protections and still have UAC and such fully on since guests use it as well. If something screw up my pc I just reinstall windows. My accounts are 2step verification protected, and my emails need codes from my google authenticator, passwords are always updated with an encryption app too.
 

Weltall Zero

Member
Oct 26, 2017
9,893
Madrid
So it sounds mostly like a problem for people who run pirated software/cracked exe/a sketchy as hell fake trainer/fake mod from a random website, as a typical user wont give access to some unknown file that can edit the registry.
I can't describe how envious I feel right now towards anyone whose experience with "typical users" is anything like the above. :D

Like, it's come to a point where it's often more productive to clean up some people's computers every now and then, than it is to repeatedly (and unsuccessfuly) trying to teach them about not clicking "allow" when you randomly see a seizure-inducing blinking popup while browsing that says "you have a virus, click here to clean" (or, hell, "you're our 1000000 visitor, click here to claim your prize").
 

Ganado

Member
Oct 25, 2017
1,062
User Banned (3 days): drive-by trolling
Ahem. Or should I say yikes? Anyway...
FUCK STEAM, another W for my boy EGS. Is this the end for Steam as we know it (never used it tho)?
 

Komo

Member
Jan 3, 2019
2,374
Sigh this is hella misleading you legitimately need access to the PC through a game to do this.
 
Nov 14, 2017
1,824
Okay so stay away from sketchy looking games for now then. Which I already do anyways.
Yea, pretty much. There's so much stuff on Steam now that some of it is bound to be nefarious.

The one saving grace is that most things you install from Steam give you a UAC prompt anyway, so for the most part you just have to trust whatever you get from Steam. This exploit just lets malicious applications look normal during installation and then silently escalate after install.
 

MultiMoo

Member
Oct 25, 2017
1,573
Silicon Valley
I wonder how many people jumping in with hot takes actually understand the first thing about what’s going on here.

Either way, Valve should fix this.
oh pardon me, but as an uninformed simpleton “The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.” sounds bad

forgive me and my fellow plebeians for basing our perspectives on the matter solely on the article presented

Edit: please, I implore you, enlighten us tech proletariat as to why this issue solicits neither an “oof” nor an “uh oh”
Yes, please. If you're going to complain about the responses to this story, why not explain it to us?



:P

Can some explain this in like 5th grade terms?
Basically, Windows normally requires users and apps to have certain privileges to alter important files and directories, and this exploit uses Steam to basically give it access to those things, though some folks have pointed out that unless you're already compromised in some way, the standard Windows protections in place SHOULD pop up a warning before the bad stuff can be executed (theoretically) but this is likely not full-proof.
 

BronsonLee

it me
Member
Oct 24, 2017
16,255
I'd be very surprised if any Steam game had a way to use this exploit in any fashion

This one isn't the way in
 

AntiMacro

Member
Oct 27, 2017
1,301
Alberta
So it sounds mostly like a problem for people who run pirated software/cracked exe/a sketchy as hell fake trainer/fake mod from a random website, as a typical user wont give access to some unknown file that can edit the registry.
lol - you really underestimate how 'casual' casual users are.

I had one guy call me and ask if I could come look at his computer because he was pretty sure he'd clicked on a bad link and by 'pretty sure' he meant he had clicked on it twice. It locked up his computer the first time, but he rebooted and clicked it again because hey why not?
 

Veliladon

Member
Oct 27, 2017
2,638
2.) All that said, there is a rough requirement for this exploit to function -- an attacker requires user level privileges to initiate the privilege escalation exploit. This means that they must already have some minimal foothold on the machine (for example, as having a user run a malicious executable with this exploit payload included). The exploit is dangerous specifically because it allows an attacker to use this flaw to effectively gain administrator permissions from userland and then they basically own the system.
So we need to find a way to have a user run a malicious executable on a platform which allows barely vetted people to publish almost anything they want to it without thoroughly checking the payloads.



Performing first time setup...
 

Veliladon

Member
Oct 27, 2017
2,638
so do I need to like uninstall Steam right now?!
No. Just don't download any sketchy Chinese F2P games or shit that says "FREE V BUCKS.EXE". It requires a certain amount of stupidity to be caught by it but the number of people that could be caught by it is certainly not zero. Keeping your wits about you should be enough.
 

Reinhard

Member
Oct 27, 2017
2,647
I can't describe how envious I feel right now towards anyone whose experience with "typical users" is anything like the above. :D

Like, it's come to a point where it's often more productive to clean up some people's computers every now and then, than it is to repeatedly (and unsuccessfuly) trying to teach them about not clicking "allow" when you randomly see a seizure-inducing blinking popup while browsing that says "you have a virus, click here to clean" (or, hell, "you're our 1000000 visitor, click here to claim your prize").
lol - you really underestimate how 'casual' casual users are.

I had one guy call me and ask if I could come look at his computer because he was pretty sure he'd clicked on a bad link and by 'pretty sure' he meant he had clicked on it twice. It locked up his computer the first time, but he rebooted and clicked it again because hey why not?
I realize there are a ton of 100% clueless people out there when it comes to computers. But how many of those would actually install Steam and play Steam games? Seems like the type of people who would stick to facebook games or mobile games. They probably wouldn't even know how to install Steam.... I really have no idea, though, how clueless the typical "casual" CS:Go or DOTA 2 players are (they most certainly are the most toxic ;p). I imagine Strategy game players are the most knowledgeable
/s
.
 

Morrigan

Armoring
Moderator
Oct 24, 2017
10,953
I'm confused, because it seems like there's a step missing here

it was rejected by hackerone, then sent off to Valve by hackerone, then rejected again by hackerone

but if the vulnerability was sent off to Valve at one point, wouldn't you want to wait and see what they did or said about it before disclosing to the public?

this story keeps getting reported as Valve refusing to fix an exploit, but as far as I can tell all the rejections came from hackerone
Yeah, I'm confused by that too. Did Valve actually comment at all?

Can some explain this in like 5th grade terms?
Shit is fucked but not too fucked
Don't fuck up and you won't get fucked up
lmao

Those are some edgy 5th graders
 

Ashlette

Member
Oct 28, 2017
674
I told a few friends to stop using steam for now. But now I'm reading about "not messing up" and "not downloading anything sketchy". Is steam safe to use as long as its users scan their computers for malware?
 
Oct 27, 2017
1,757
Florida.
No. Just don't download any sketchy Chinese F2P games or shit that says "FREE V BUCKS.EXE". It requires a certain amount of stupidity to be caught by it but the number of people that could be caught by it is certainly not zero. Keeping your wits about you should be enough.
So basically the same amount of caution you should exercise on a daily basis if you aren't interested in contracting malware.
 

collige

Member
Oct 31, 2017
4,848
It's a good thing devs can't arbitrarily change their release dates anymore to take advantage of this huh
 

ForgedByGeeks

Member
Dec 1, 2017
503
Woodinville, WA
I told a few friends to stop using steam for now. But now I'm reading about "not messing up" and "not downloading anything sketchy". Is steam safe to use as long as its users scan their computers for malware?
Since this is a day 0 vulnerability, no security software can detect it.

This will likely be detectable by most security software within a week, but will likely also morph multiple times in the coming months.

Steam is safe to use, but I would recommend only downloading or buying games from established developers till Valve patches Steam to fix the core exploit.
 

Willy

Member
Oct 27, 2017
105
Valve has let malware slip onto the store before so its probably worth taking a few precautions eg. restricting your "auto update" time to when you don't use your computer/Steam or individually setting your installed games to only update when launched.
 

hikarutilmitt

Member
Dec 16, 2017
2,771
+1 for using Linux over Windows, weeeee...

This sucks, though. It takes a bunch of other parts in place to get going, but it needs fixing. That and, frankly, Windows needs to stop accepting arbitrary commands and shit through the registry. Or, ya know, get rid of that ancient relic of a system.
 

Exzyleph

Member
Oct 25, 2017
563
This is a rather strange story.

While a lot of the blame falls on HackerOne, who seemingly decided that Valve did not need to know about this exploit, responsibility definitely also falls on Vasily Kravets for seemingly not making any attempts at contacting Valve outside of the HackerOne bug bounty program. Valve has had means of reporting security issues long before they setup that bug-bounty program:
If the public security program is inapplicable to your situation, then you may instead send email describing the issue to [email protected]valvesoftware.com. If you feel the need, please use our public key to encrypt your communications with us.

https://www.valvesoftware.com/el/security

But while this definitely needs to be fixed, it does requires that you run malicious code on your PC.
And if that happens then you are already boned, regardless of whether or not the program can perform a privilege escalation.

A malicious program running in user-space has access to everything that you have access to, including all the cookies that keep you logged in on websites, any credentials stored by software you use, and any (personal) documents, photos, and other files you have stored on your PC, and much more. An unprivileged piece of software can easily encrypt all your personal files and demand payment before unlocking them (aka. random-ware). An unprivileged malicious program can also do stuff like running bitcoin miners, spy on your browsing habits, and perform a slew of other nefarious actions.

And this applies to both Windows and Linux users.
 

eonden

Member
Oct 25, 2017
3,825
I told a few friends to stop using steam for now. But now I'm reading about "not messing up" and "not downloading anything sketchy". Is steam safe to use as long as its users scan their computers for malware?
You basically need to have admin access physically to do the modifications that allow this to happen which means that for this 0 day thing to be activated you need either:
-Physical access to the computer
-Already be compromised.

Basically, if you have it, you were already fucked before. The reason Hacker1 (the ones that regulate Valve program) passed on it was that.

So we need to find a way to have a user run a malicious executable on a platform which allows barely vetted people to publish almost anything they want to it without thoroughly checking the payloads.



Performing first time setup...
They check the payloads to be safe tho.
 

Pryme

Member
Aug 23, 2018
1,828
I wonder how many people jumping in with hot takes actually understand the first thing about what’s going on here.

Either way, Valve should fix this.
There were all of 6 posts in the thread before you made this comment. None of which can remotely be classified as ‘hot takes’.
From subsequent contributions here, it Looks like the bug is a bit more insidious than you think and may not trigger an UAC prompt.
 

mutantmagnet

Member
Oct 28, 2017
7,799
Since this is a day 0 vulnerability, no security software can detect it.

This will likely be detectable by most security software within a week, but will likely also morph multiple times in the coming months.

Steam is safe to use, but I would recommend only downloading or buying games from established developers till Valve patches Steam to fix the core exploit.
I would argue established developer/ publishers are the most likely to exploit this because they could install monitoring program to collect the data they want to sell more games.
 

Sandersson

Member
Feb 5, 2018
1,631
looked further into it.
regln-x64.exe definitely triggered a SmartScreen warning but not a UAC one, as the article mentions, but yeah the exploit appears to mostly amount to 'here's how to permanently damage your ability to install anything onto your computer.'

don't disable UAC/SmartScreen then download and run unsigned binaries, kids. and drink your milk.
Dumb question time: SmartScreen is a part of MS Defender? You can slap me on they way out.
 

Hella

Member
Oct 27, 2017
12,861
Well, time to pray to the gods that all of my workshop subscriptions have remained legit during this securitypocalypse.
I would argue established developer/ publishers are the most likely to exploit this because they could install monitoring program to collect the data they want to sell more games.
That's silly because they don't need to use computer exploits to install monitoring software. Look up Red Shell.

...Well, except for Capcom. They're wildcards.


An established, legit company wouldn't exploit security holes because that's how you damage your reputation and possibly get sued.
 

GhostTrick

Member
Oct 25, 2017
7,053
There were all of 6 posts in the thread before you made this comment. None of which can remotely be classified as ‘hot takes’.
From subsequent contributions here, it Looks like the bug is a bit more insidious than you think and may not trigger an UAC prompt.

They're right though. People do tend to be more worried than they should in that kind of things (which is still a good behaviour considering it's a sign of cautiousness).