Two security experts disclosed a privilege escalation vulnerability in the Stream client for Windows that can be exploited by an attacker with limited permissions to run code administrative privileges.
The issue could be exploited by
The two experts decided to disclose the flaw because Valve did not acknowledge it. Not only the company refused to cover the issue under its bug bounty program but asked one of them to not disclose the flaw.
One of the experts, the security researcher Vasily Kravets (aka Felix) explained that the
The vulnerability affects the Steam Client Service, it could be started or stopped by unprivileged users. This could be very dangerous when the service automatically sets permissions on a set of registry keys. If a malware uses one of these keys it can start or stop the service or pass arguments to services.
“Steam’s service sets security descriptor for our target-key. Review SDDL for the key (non-interesting data is omitted):
In other words, it means full (read and write) access to the key for all users. This is the security descriptor the service has set
“So, now we have a primitive to take control on almost every key in the registry, and it is easy to convert it into a complete EoP (Escalation of Privileges).”
The expert demonstrated that using the HKLM\SYSTEM\ControlSet001\Services\msiserver associated with the service “Windows Installer,”which can be started by any user, same as Steam’s service, it is possible to run a program as NT AUTHORITY\SYSTEM.
“I created test key HKLM\Software\Wow6432Node\Valve\Steam\Apps\test and restarted the service (Procmon’s log is above) and checked registry key permissions.” continues the expert. “Here I found that HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit “Full control” for “Users” group, and these permissions inherit for all
The researcher successfully configured a
Summarizing, it is possible to change any Registry key by creating a symlink to it from a
The expert launches in the