A severe security vulnerability has been discovered in Valve’s Steam software. A researcher by the name of Vasily Kravets has published a zero-day security vulnerability for the Windows version of Steam having had his vulnerability report rejected by Valve Software.
A zero-day vulnerability is a security flaw which is known to a software provider but they have not implemented a security fix in time for the flaw to become public. Any zero-day vulnerability has huge potential to be exploited by hackers due to it being public knowledge.
Okay, so there’s a severe security flaw with Steam, Valve knows about it, and this vulnerability hasn’t been patched. Everyone now knows how this security flaw can be exploited.
Kravets has explained his discovery in-depth over here but, in a nutshell, it relates to the ‘Steam Client Service’ process. This is installed alongside any Steam installation and is used for Valve’s own internal purposes.
The service sets permissions on various registry keys on startup, each of which are subkeys of “HKLM\Software\Wow6432Node\Valve\Steam\Apps”. Steam Client Service also adds security descriptions for each. Kravets then tried injecting his own test keys and linking them to Steam’s service, discovering he could achieve full read and write access to the key for all users.
From this stage, a cyberattacker can already begin to take control of a system. They’ve got a key in the registry and can begin an Escalation of Privileges. Once achieved, they can then run any program with full rights access.
The end result is this process can be exploited by either malicious software or someone with either local or remote access, allow them to escalate their privileges to system-wide admin access. This then means near-total control of a system.
What’s particularly worrying here is Kravets passed this one to HackerOne for review, who then passed it on to Valve, who then marked it as “not applicable”. After a bit of back and forth, he’s waited 45 days and has now publicly disclosed the vulnerability in the hope Steam devs will make the appropriate security changes.
The flaw was rejected by HackerOne and Valve because these are"Attacks that require the ability to drop files in arbitrary locations on the user's filesystem" and "attacks that require physical access to the user's device".
As it currently stands though, this security flaw is wide open and Valve has yet to address the issue. “They didn't want me to disclose the vulnerability”, explains Kravets. “At the same time, there was not even a single word from Valve. No, guys, that's not how it works. You didn’t respect my work, and that's the reason why I won’t respect yours — I see no reason why I shouldn't publish this report. Most likely I’ll be banned at H1 because of it, but it won't make me upset.”