A Russian security researcher has released a zero-day privilege escalation exploit for Valve's popular Steam digital distribution software, claiming that 'Valve wants these [escalation of privilege] vulnerabilities to be present in the software.'
A zero-day vulnerability is one which is publicly known but for which no patch is yet available - in other words, one which can be easily exploited by a wide range of ne'er-do-wells. Zero-day vulnerabilities are bad news, so security researchers are encouraged to adopt reporting guidelines which see vulnerabilities communicated to software and hardware makers in private so that a patch can be developed and disseminated before the public - and the bad actors - is alerted to the flaw.
Vasily Kravets, of Russian security firm ПЕРСПЕКТИВНЫЙ МОНИТОРИНГ (Perspective Monitoring), claims that's exactly what he tried to do with an escalation of privilege vulnerability in Valve's Steam platform - but says that the company rejected his report, refusing to pay a bounty through the HackerOne bug bounty platform.
The vulnerability itself lies in the Steam Client Service on Windows, installed automatically by the client software for Valve's Steam digital distribution platform. A bug in the service allows for an attacker to exploit it to take control of entries in the Windows Registry, and can be exploited to allow for a full escalation of privilege attack - whereby malicious code running under relatively limited privileges can be boosted to administrative rights, gaining full control over the computer.
'I reported this vulnerability to the Valve via HackerOne. I got "not applicable" with cause "attacks that require the ability to drop files in arbitrary locations on the user's filesystem",' Kravets writes. 'I was like "are you serious? There is no even a single file operation!"'
'I wrote some comments and other H1 [HackerOne] member tried to reproduce my steps. After some conversations, he confirmed the report and sent it to the Valve security team. Hooray! Mission accomplished. Or not? Some weeks later, another (third) H1 member marked report as "N\A". Now there were two causes: "Attacks that require the ability to drop files in arbitrary locations on the user's filesystem" and "Attacks that require physical access to the user's device". Here I realized that Valve has no interest in EoP [escalation of privilege] vulnerabilities. 45 days have gone since the initial report, so I want to publicly disclose the vulnerability. I hope this will bring Steam developers to make some security improvements.'
Kravets' claims against the company go further than it having no interest in reports of escalation of privilege vulnerabilities, however. 'It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges. What if there is no coincidence and the behaviour is insecure by design? What if the Steam is a kind of legal backdoor? It is impossible to convict Valve, but putting all the facts together: There is the vulnerability, which is easy to exploit and reliable works, providing high rights. And it seems like not only one, according to this Twitter thread; it is easy to find the vulnerability. I am not sure that I'm first who has found it, but the first one who wrote about it; Valve declined the report about the EoP vulnerability and same ones. Moreover, the scope of incoming reports specially reduced to exclude EoP reports. As for me, it looks like Valve wants these EoP vulnerabilities to be present in the software.
'I do not [recommend] deleting Steam,' Kravets concludes, 'but you should be aware and careful with it. Valve do not care about your security, so you are the only one who should be.'
Valve has been contacted for comment, and this article will be updated with any response that follows.
October 15 2020 | 14:00