Steam patches zeroday beta update that enabled privilege escalation

Spread the love

Valve has fixed a vulnerability in Steam that HackerOne has labeled as “out of scope” several times. The researcher who discovered the vulnerability had therefore put it online as a zero day last Wednesday.

According to researcher Vasily Kravets, the vulnerability is in the Steam Client Service. With only user rights, a program can create registry keys in the directory of this service, after which they are assigned the highest rights by the service for each user. Symlinks can then be used to modify the permissions of registry keys outside this folder, including those of services that can be started by any user. Thus, it can launch a malicious program with full rights, regardless of whether the user under whose account the program starts actually has those rights or not.

HackerOne, the platform Valve employs to process vulnerabilities reports, initially rejected Kravets’ report, but then reneged on it and ultimately did nothing about it. When Kravets stated that he was convinced of the seriousness of the matter and that he would publish it himself if necessary, HackerOne forbade that, even though they did not understand the seriousness, according to Kravets.

Valve itself has not responded substantively to the case, but did come out with a beta update for the Steam client in the night from Friday to Saturday in which the vulnerability has been fixed.

A demonstration made by Reddit user R_Sholes – Ars Technica commentary

You might also like