HWZ Forums

Login Register FAQ Mark Forums Read

[Steam] Second Steam Zero-Day Impacts Over 96 Million Windows Users

LinkBack Thread Tools
Old 23-08-2019, 08:17 PM   #1
Arch-Supremacy Member
Pyre's Avatar
Join Date: Jan 2000
Posts: 20,589
Exclamation [Steam] Second Steam Zero-Day Impacts Over 96 Million Windows Users

A second Steam Windows client zero-day privilege escalation vulnerability affecting over 96 million users has been publicly disclosed today by Russian researcher Vasily Kravets.

This happens after Valve disputed the significance of the previous Steam 0day disclosed by Kravets on Twitter and banned him out of their HackerOne bug bounty program.

Seeing that this vulnerability impacts only the Steam Windows client, with Steam having over 100 million registered users and 96.28% of them are running Windows according to the Steam Hardware & Software Survey: July 2019, the systems of roughly 96 millions of them are currently affected.

The privilege escalation (also known as an elevation of privilege or local privilege escalation) security flaw disclosed today by Kravets can allow attackers with limited rights to use a technique known as BaitAndSwitch to run executables using the Steam Client Service's NT AUTHORITY\SYSTEM elevated permissions.

This would allow potential attackers to launch a three-stage attack, getting remote code execution privileges by exploiting a vulnerability in a Steam game, a Windows app, or the OS itself, subsequently elevating privileges on the compromised device and running a malicious payload using SYSTEM permissions.

As Kravets detailed in his write-up, "achieving maximum privileges can lead to much more disastrous consequences. For example, disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft any PC userís private data ó is just a small portion of what could be done."
We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.

Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a userís machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.

We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported. In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program.

In regards to the specific researchers, we are reviewing the details of each situation to determine the appropriate actions. We arenít going to discuss the details of each situation or the status of their accounts at this time.
Pyre is online now   Reply With Quote
Old 23-08-2019, 09:49 PM   #2
Senior Member
Join Date: Nov 2015
Posts: 2,428
Researcher discloses second Steam zero-day exploit after being shut out of bug bounty program (Update: fixed in beta channel)
rrr2015 is offline   Reply With Quote
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.

Thread Tools

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On