12 Aug 2019
Despite Valve determining that a flaw submitted by their bug bounty program HackerOne was “Not Applicable”, two independent researchers confirmed a zero-day privilege escalation vulnerability in the popular Steam game client for Windows. The vulnerability allowed an attacker with limited permissions to run a program as an administrator. This posed a significant threat to Steam users—over 100 million of them.
In a report published August 7th, security researcher Felix was analyzing a Windows service associated with the Steam client when he noticed that the service could be started and stopped by the “user” group. The registry key for this service was not editable by the “user” group, so it could not be modified to elevate privileges to an administrator level. It did, however, give the “users: group full write access to the subkeys under the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key.
“I created test key HKLM\Software\Wow6432Node\Valve\Steam\Apps\test and restarted the service (Procmon’s log is above) and checked registry key permissions,” Tweeted Felix. “Here I found that HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit “Full control” for “Users” group, and these permissions inherit for all subkeys and their subkeys. I assumed that RegSetKeySecurity sets same rights, and something interesting would happen if there were a symlink. I created a link from HKLM\SOFTWARE\Wow6432Node\Valve\Steam\Apps\test to HKLM\SOFTWARE\test2 and restarted the service.”
He configured a symlink from a key he didn’t have permission for, restarted the service, and discovered it was now possible to modify that key as well. This could allow a service running with SYSTEM privileges to be modified so that it launched a different program with elevated rights.
A second researcher, Matt Nelson, confirmed the vulnerability as well. Matt is well known for discovering privilege escalation vulnerabilities under the enigma0x3 alias. He shared a proof-of-concept (PoC) script on GitHub that abused the flaw.
HackerOne reopened the bug report. After further investigation, a fix was released. Matt Nelson tweeted late Sunday night, “The fix for the Steam LPE: The service now checks for registry symlinks by iterating through subkeys under the Steam key & calls RegQueryValueEx with a check for the “SymbolicLinkValue” key value.”