A SECURITY RESEARCHER BANNED from flagging flaws to Steam via the Hacker One programme has discovered a second zero-day exploit in the PC gaming platform.
Back in July, independent researcher Vasily Kravets discovered a privilege escalation flaw in Steam and reported it through Valve's bug bounty programme. But as the flaw could only be exploited locally and required "the ability to drop files in arbitrary locations on the user's filesystem", it was rejected.
Kravets pushed back against this but Valve refused to pay heed to the report, so Kravets took the bug public some two weeks ago. This is against Hacker One rules, so Kravets got kicked off Valve's bug bounty programme.
"In short, Valve and H1 decide to remove me from the programme due to my public disclosure," the researcher told Threatpost, sticking to his metaphorical guns.
"I fully understand this and have no objections. But I still think that the first disclosure [was the] right move. Before my post Valve had no intensions to patch the vulnerability. A vulnerability is a vulnerability even if it [does] not fit into the security model."
Valve, however, updated Steam to plug the vulnerability, despite the whole Hacker One back and forth, though Kravets said the mitigation could be bypassed.
Then, in a twist of irony, Kravets discovered a second zero-day flaw in Steam, which has been disclosed publically. This vulnerability allows for local users of a Steam-equipped machine to gain maximum privileges over a system, thereby opening it up to all manner of exploits and malware.
The exploit works by any users on the operating system - the would-be hacker needs no prior privileges - setting up an exploitation environment using the CreateMountPoint.exe and SetOpLock.exe files and changing the Steam file structure.
"Our goal is to have folder with Steam.exe and steamclient.dll, and without ‘bin' folder," explained Kravets. This takes a little technical nous, but Kravets has a detailed breakdown of the exploit.
Kravets explained a hacker could execute a dynamic link library inside the Steam client service, thanks to Valve not doing enough to check for foul play during its self-update process; Kravets did note that it did detect that it's being tricked at some stages of developing the exploit, but the researcher was able to work around them.
Once all that was done, Kravets could execute his exploit payload in the form of a console with maximum permissions over the system. And Kravets said that the whole exploit could be wrapped up into an executable file but he couldn't be bothered to do so.
While the vulnerability is a local one, it doesn't need to be carried out by a person with direct access to a PC, as a programme like a dodgy free game downloaded from Steam could execute code to gain maximum privileges through the Steam bug. While hackers wouldn't be able to tap into this remotely, the malicious code could shut down firewalls and antivirus protection, as well as install a rootkit, all of which could open a system up to malware and remote attacks.
Valve has yet to respond to this second bug disclosure, though Kravets did point out that the Steam client beta has been updated to fix a local-privilege escalation flaw and that Valve's bug bounty on Hacker One has now been changed to accept attacks that require the ability to drop files in arbitrary locations.
So it looks like Kravets made his influence felt after all, despite being shunted from the bug bounty programme. But it does cause one to raise an eyebrow at how Valve seems to treat people who are only trying to help it and Steam users. µ
Watch your back, Huawei
Porn-based prattery gets fisted
As long as it follows the rules
The Home in the home could be a legal minefield