-
Ever wanted an RSS feed of all your favorite gaming news sites? Go check out our new Gaming Headlines feed! Read more about it here.
[Ars Technica] Severe local 0-Day escalation exploit found in Steam Client Services
- Thread starter Rvaan
- Start date
nope its out in the wild because it kept getting rejected
we talked about this in discord.
method 1: "get local access, download regin64.exe and monkey with the registry"
method 2: "get local access, run regedit.exe and monkey with the registry"
the vulnerability doesn't seem that bad on the face of things. both of the methods of execution seem to require the ability to run a privileged executable that can modify your registry, which would 100% trigger UAC before the steps to repro the exploit will work.
they should still fix it, but it requires a prior breach in your pc's security.
method 1: "get local access, download regin64.exe and monkey with the registry"
method 2: "get local access, run regedit.exe and monkey with the registry"
the vulnerability doesn't seem that bad on the face of things. both of the methods of execution seem to require the ability to run a privileged executable that can modify your registry, which would 100% trigger UAC before the steps to repro the exploit will work.
they should still fix it, but it requires a prior breach in your pc's security.
I wonder how many people jumping in with hot takes actually understand the first thing about what's going on here.
Either way, Valve should fix this.
Either way, Valve should fix this.
Dawg you're like 10 posts in with a few oofs and uh oh's, not sure what you're trying to do here.
oh pardon me, but as an uninformed simpleton "The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands." sounds bad
forgive me and my fellow plebeians for basing our perspectives on the matter solely on the article presented
Edit: please, I implore you, enlighten us tech proletariat as to why this issue solicits neither an "oof" nor an "uh oh"
I wanna unpack a few things here for the exploit mentioned in the article. Keep in mind I could be way off the mark on things.
RE: The exploit itself, it looks like it requires either local admin access, or admin access period. That makes the exploit much less of a 'oh my god run away' and more of a 'don't install anything you don't recognize' kind of thing. It's not going to be the thing that blows the doors open, but it's another bullet in the gun if someone wants the whole thing after getting admin access somehow.
RE: a fake game putting this exploit on your PC, while I suppose that's possible, I generally think that would never make it on Steam proper, so you'd have to be getting it from elsewhere.
RE: the timeline:
So best as I can see:
ISR reports bug via HackerOne (likely through their bug bounty program, AKA they get paid for reporting these things)
HackerOne rejects the first attempt, with reasoning I would note as iffy. This can happen sometimes with bug bounty programs, as they mainly want knock down drag out major exploits.
ISR and HackerOne start arguing, HackerOne independently reproduces exploit, sends it to Valve for approval/fix
Weeks later, HackerOne rejects it again, for another odd reason
ISR says he's going to publicly disclose, HackerOne forbids it and tries to block the disclose. I'm iffy on whether this actually happened.
ISR publicly discloses exploit, in about half the time you're supposed to. That's ringing an alarm bell for me, as most of them will wait. This feels a bit personal.
So TLDR;
The exploit is bad, but requires admin access, so if you're getting hit with it, you were likely already toast
This thing got disclosed way too early because of infighting between an ISR and a bug bounty program possibly being stubborn and not wanting to pay out
I am a freaking dork
RE: The exploit itself, it looks like it requires either local admin access, or admin access period. That makes the exploit much less of a 'oh my god run away' and more of a 'don't install anything you don't recognize' kind of thing. It's not going to be the thing that blows the doors open, but it's another bullet in the gun if someone wants the whole thing after getting admin access somehow.
RE: a fake game putting this exploit on your PC, while I suppose that's possible, I generally think that would never make it on Steam proper, so you'd have to be getting it from elsewhere.
RE: the timeline:
So best as I can see:
ISR reports bug via HackerOne (likely through their bug bounty program, AKA they get paid for reporting these things)
HackerOne rejects the first attempt, with reasoning I would note as iffy. This can happen sometimes with bug bounty programs, as they mainly want knock down drag out major exploits.
ISR and HackerOne start arguing, HackerOne independently reproduces exploit, sends it to Valve for approval/fix
Weeks later, HackerOne rejects it again, for another odd reason
ISR says he's going to publicly disclose, HackerOne forbids it and tries to block the disclose. I'm iffy on whether this actually happened.
ISR publicly discloses exploit, in about half the time you're supposed to. That's ringing an alarm bell for me, as most of them will wait. This feels a bit personal.
So TLDR;
The exploit is bad, but requires admin access, so if you're getting hit with it, you were likely already toast
This thing got disclosed way too early because of infighting between an ISR and a bug bounty program possibly being stubborn and not wanting to pay out
I am a freaking dork
I wonder how many people out there got tired of 'do you want to allow' pop up messages and disabled UAC long ago.
looked further into it.
regln-x64.exe definitely triggered a SmartScreen warning but not a UAC one, as the article mentions, but yeah the exploit appears to mostly amount to 'here's how to permanently damage your ability to install anything onto your computer.'
don't disable UAC/SmartScreen then download and run unsigned binaries, kids. and drink your milk.
where are you guys seeing that this will activate UAC or you need admin privileges? looks like the exploit does not trigger UAC and only needs an executable that can modify regedit to trigger the exploit
Normally I would disagree (bug bounties don't have unlimited budget, after all), but the fact that they independently verified and reproduced the exploit and ended up sending it to Valve gives me pause.
ALMOND MILK IT IS
Sure no prob
After reading through the article at https://amonitoring.ru/article/steamclient-0day/ , these are my thoughts:
1.) If the H1 / Valve Security team stuff is true, shame on them for dismissing this problem. Regardless of the prerequisite needed for the exploit to function, it is still a significant security oversight for an application installed on millions of computers. There is no excuse for a billion dollar company not to have acknowledged and corrected the issue in the 45 day disclosure window that was provided by the author. I hope it was a miscommunication/oversight and not willful disregard for the issue.
2.) All that said, there is a rough requirement for this exploit to function -- an attacker requires user level privileges to initiate the privilege escalation exploit. This means that they must already have some minimal foothold on the machine (for example, as having a user run a malicious executable with this exploit payload included). The exploit is dangerous specifically because it allows an attacker to use this flaw to effectively gain administrator permissions from userland and then they basically own the system.
3.) It should be relatively straightforward for Valve to fix, and for antimalware vendors to write a signature to mitigate the attack, and many heuristics / machine learning endpoint defense layers probably already block this exploit based on its behavioral pattern.
Severity of the bug: 9/10
Exploitability of the bug: 5/10
Valve's response to the bug: what the fuck are you doing / 10.
1.) If the H1 / Valve Security team stuff is true, shame on them for dismissing this problem. Regardless of the prerequisite needed for the exploit to function, it is still a significant security oversight for an application installed on millions of computers. There is no excuse for a billion dollar company not to have acknowledged and corrected the issue in the 45 day disclosure window that was provided by the author. I hope it was a miscommunication/oversight and not willful disregard for the issue.
2.) All that said, there is a rough requirement for this exploit to function -- an attacker requires user level privileges to initiate the privilege escalation exploit. This means that they must already have some minimal foothold on the machine (for example, as having a user run a malicious executable with this exploit payload included). The exploit is dangerous specifically because it allows an attacker to use this flaw to effectively gain administrator permissions from userland and then they basically own the system.
3.) It should be relatively straightforward for Valve to fix, and for antimalware vendors to write a signature to mitigate the attack, and many heuristics / machine learning endpoint defense layers probably already block this exploit based on its behavioral pattern.
Severity of the bug: 9/10
Exploitability of the bug: 5/10
Valve's response to the bug: what the fuck are you doing / 10.
I'll run unsigned binaries if I want to, you're not my mom.
~ guy whose mom was a sysadmin, probably
Weird as hell that they ignored and rejected it, as they're one of the companies that pay the most to people that find exploits and stuff. Really wanna hear what they have to say about it.
Shit is fucked but not too fucked
Don't fuck up and you won't get fucked up
You're computer needs to already be boned and this exploit bones you harder.
Never assume whether a typical user will or won't do something lmao
They could do anything for any reason they don't know any better
Saying the security expert was disgruntled without giving a hint to why can lead to mischaracterization.
I don't get why his superiors didn't think this was serious enough though I wish we didn't have to get to this point.
I don't get why his superiors didn't think this was serious enough though I wish we didn't have to get to this point.
This is a privilege escalation vulnerability. The linked article states that it totally bypasses UAC. The point is that Steam itself is a platform for delivering code to users, and so in theory it a prime target for these kinds of vulnerabilities. Valve should take this more seriously.
True, I pray my sister isn't a typical user. I haven't checked her current laptop, but awhile back I fixed a desktop she owned and it was full of spyware/malware/viruses.... I would hope people would be smarter than clicking and granting access to an unknown file that causes their entire screen to go dark with a warning, but the desire for free pirated games and quick access to a randomly googled trainer overrides common sense.
So there are no LOCALSYSTEM Windows native services that automatically set permissions on registry keys, and Steam is a necessary component of the pwn?
This exploit lets any running program take over your machine if Steam is running.
If you wanted to be malicious, you could distribute a free game on Steam with this exploit hidden inside it and know you were hitting vulnerable machines.
Worth noting that a free game distributed in Steam could already do this, likely without a UAC prompt depending the user's settings. This just guarantees that no one would see a UAC prompt, settings be damned.
"Don't install things that look suspicious, don't install things from websites you don't recognize, don't take candy from strangers."
Wouldn't steam run an antivirus/scan on game files before being distributed?
So how do they install the program to your system that gives them access? They can do it from their end without you doing anything but keeping Steam on? Or you, yourself would have to download something that has the program included?
This is a privlege escalation vulnerability, so it bypasses UAC even if you have it on.
Mind you with UAC turned off, everything you run is a privilege escalation vulnerability. So really for you it doesn't matter if Steam fixes this, because you've chosen to always be vulnerable.
I think they would have to have UAC completely disabled in order for them to not get a prompt when an app tries to get LocalSystem.
The most likely way would be hiding the malware in a 'free' game delivered via Steam. That's actually what makes this a little scary - Steam is a vector for delivering code to your computer, and some wires must really have been crossed for Valve to not take this seriously.
You should never ever turn UAC completely off. What version of Windows are you on and what did you set it to?
Ok, this scared me into turning it back on. I had like 4 malware antiviruses and things running at one time but I saw that having those even allow for vulerabilities that get in through the defending app so I just use Windows Defender and antispyware with an occasional malware scan and such. There's always a war, but I really should start fiddling around with Linux soon just for fun and to get used to it for games that work on it. All I need for PC is games, youtube, netflix, and the ability to mod games.
Windows 10, I doubt I ever got effected with anything serious though, unless the defense apps don't tell me after scans and such.
So here's the deal.
This is a 0 day vulnerability. What that means is that virus scanners cannot detect this exploit.
That means any auto-scanning of apps going up to any service, Steam or otherwise, can have this exploit inserted and not be detected.
If Steam is on a computer, this can be exploited.
This is an escalation of priviliage exploit. This means any app, even one without admin priviliages, can leverage this vulnerability to behave as though the user of the PC gave them admin privileges.
In other words, any app on a PC with Steam can use this to do anything to the computer.
This is especially bad because Steam distributes apps. Steam also auto-updates these apps by default without users doing anything.
Worst case scenario is a malicious actor (game developer working on a game published to steam) inserts the exploit hidden in an update that gets published to Steam. Since this is a 0 day vulnerability, the exploit would not be caught uploading to Steam. Steam would auto-update the game for all users, thereby installing the exploit on their systems. The game, as part of installing the auto-update, could initialize the exploit as part of the installer. Thus, even without the user running an updated game, the malicious software could install itself.
Once installed, because it is now Admin, it could block fixes from being applied (outside of Microsoft's Malicious Software Removal Tool that goes through Windows Update). Thus it can now make itself undetectable and do whatever it is it wants to do.
So what it comes down to is, do you have any games installed by a company with a malicious actor that can rapidly code in an exploit that gets shipped in an update to Steam. If not, you are fine. Most people will be fine.
But I am sure some people have games installed that already behave poorly because of ad services or other garbage included. Many times the ad services themselves are run by malicious companies that try to get people to click on ads that will exploit vulnerabilities. Now these same companies could push an update for their services to a ton of games to try to exploit your system directly. This is the real risk in my view.
This is a 0 day vulnerability. What that means is that virus scanners cannot detect this exploit.
That means any auto-scanning of apps going up to any service, Steam or otherwise, can have this exploit inserted and not be detected.
If Steam is on a computer, this can be exploited.
This is an escalation of priviliage exploit. This means any app, even one without admin priviliages, can leverage this vulnerability to behave as though the user of the PC gave them admin privileges.
In other words, any app on a PC with Steam can use this to do anything to the computer.
This is especially bad because Steam distributes apps. Steam also auto-updates these apps by default without users doing anything.
Worst case scenario is a malicious actor (game developer working on a game published to steam) inserts the exploit hidden in an update that gets published to Steam. Since this is a 0 day vulnerability, the exploit would not be caught uploading to Steam. Steam would auto-update the game for all users, thereby installing the exploit on their systems. The game, as part of installing the auto-update, could initialize the exploit as part of the installer. Thus, even without the user running an updated game, the malicious software could install itself.
Once installed, because it is now Admin, it could block fixes from being applied (outside of Microsoft's Malicious Software Removal Tool that goes through Windows Update). Thus it can now make itself undetectable and do whatever it is it wants to do.
So what it comes down to is, do you have any games installed by a company with a malicious actor that can rapidly code in an exploit that gets shipped in an update to Steam. If not, you are fine. Most people will be fine.
But I am sure some people have games installed that already behave poorly because of ad services or other garbage included. Many times the ad services themselves are run by malicious companies that try to get people to click on ads that will exploit vulnerabilities. Now these same companies could push an update for their services to a ton of games to try to exploit your system directly. This is the real risk in my view.