Security researcher Vasily Kravets has released a second zero-day exploit for Valve's popular Steam distribution platform, this time in alleged retaliation for the company banning him from its bug bounty programme - though Valve appears to be getting faster at patching them out.
Vasily Kravets, of Russian security firm ПЕРСПЕКТИВНЫЙ МОНИТОРИНГ (Perspective Monitoring), hit the headlines earlier this month by announcing a zero-day vulnerability in Valve's Steam Client for Windows - a vulnerability for which, at the time of its public release, there was no fix or mitigation available - allowing any software on the system to escalate its privileges to the administrative level. 'Tt looks like Valve wants these EoP [Escalation of Privilege] vulnerabilities to be present in the software,' Kravets claimed at the time, after the company not only rejected his bug report but allegedly modified the terms of its bug bounty programme, run on the HackerOne platform, to specifically exclude privilege escalation vulnerabilities. 'I do not [recommend] deleting Steam, but you should be aware and careful with it. Valve do not care about your security, so you are the only one who should be.'
Now, Kravets is back with a second zero-day vulnerability - and with the claim that Valve has banned him from its bug bounty platform altogether while failing to properly secure his originally reported bug.
'Not long ago I published an article about Steam vulnerability. I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence,' Kravets writes. 'Eventually things escalated with Valve and I got banned by them on HackerOne — I can no longer participate in their vulnerability rejection [sic] programme.
'And it’s sad and simple — Valve keeps failing. Last patch, that should have solved the problem, can be easily bypassed so the vulnerability still exists. Yes, I’ve checked, it works like a charm. But this article is not about an old vulnerability, it’s about new one. Since Valve decided to read a public report instead of private report one more time, I won’t take that pleasure away from them.'
As well as claiming that a bypass exists for the privilege escalation vulnerability fixed rolled out by Valve earlier this month, Kravets details a brand-new zero-day attack against the Steam Client: Arbitrary code execution with maximum system privileges. ' For example,' Kravets explains, 'disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft any PC user’s private data — is just a small portion of what could be done.'
While Valve has still not publicly commented on either of Kravets' vulnerabilities, bar brief mentions in patch notes, it has responded considerably more quickly this time around: A patch for both the original-patch bypass vulnerability and the newly-discovered flaw was added to the beta client branch late last night, mere hours after Kravets' public disclosure, and has added local privilege escalation exploits to the scope of its HackerOne bug bounty programme - both moves Kravets describes as being 'great news,' despite still being banned from participating in the bug bounty programme himself.
Users of Steam Client for Windows are advised to keep an eye out for the security fix leaving beta and update as soon as it is available. More details on the exploit itself, including two video demonstrations of it in action, are available on Perspective Monitoring.
Valve has issued a statement, reproduced in part below, in which it admits it was incorrect to turn Kravets away from the bug bounty programme and exclude privilege escalation issues.
'We are [...] aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake. Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.
'We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported. In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program. In regards to the specific researchers, we are reviewing the details of each situation to determine the appropriate actions. We aren’t going to discuss the details of each situation or the status of their accounts at this time.'
May 15 2020 | 11:00