Severe local 0-Day escalation exploit found in Steam Client Services

So I read the article and I have no idea what this means. Can someone who understands this stuff better than me explain this in a simpler way than the article did?
 
  • Like
Reactions: Auer
like this
Any Steam published game can exploit the steam vulnerability and get local system privileges on your computer.

Any free to play game etc.
 
thebufenator said:
Any Steam published game can exploit the steam vulnerability and get local system privileges on your computer.

Any free to play game etc.
Click to expand...
It seems to me any software you run on your computer can do the same, it doesn't even have to be steam published, you just need to have steam installed.
 
To exploit this you need local access with admin privileges. So you need to be an admin to gain admin privileges? Yet another "exploit" that has been blown out of proportion. We'd better delete every piece of software off our computer, just to be safe.
 
Armenius said:
To exploit this you need local access with admin privileges. So you need to be an admin to gain admin privileges? Yet another "exploit" that has been blown out of proportion. We'd better delete every piece of software off our computer, just to be safe.
Click to expand...

The vulnerability lies within Steam Client Service. The service may be started or stopped by unprivileged users.

As I read it in the articles the issues as that you do NOT need to have admin rights
You can use the steams service as an unprivileged user to disable and enable other services and passed on command to them even though these service are running privileged
pretty much giving unprivileged user an amount of privileges


That is very much a real attack vector IMHO

--edit--
He actually saids it in black and white in the articles
The attack does not require any file to be dropped anywhere or any special privileges
Where did you get you needed admin rights?
 
Last edited:
MrWrong said:
So I read the article and I have no idea what this means. Can someone who understands this stuff better than me explain this in a simpler way than the article did?
Click to expand...

Here is the domino effect

Services are normally not to be started /stopped by unpriviliged users
Steam server you can for some reason
Steam service makes changes to registry
You can redirect those changes to hit other services regisry entries. nwo starting and stopping the services you are not suppoed to be able to do
You can start the "forbidden" services with command and those command will run in system level privileges

Unprivileged user now has a way to make privileged commands
 
Armenius said:
To exploit this you need local access with admin privileges. So you need to be an admin to gain admin privileges? Yet another "exploit" that has been blown out of proportion. We'd better delete every piece of software off our computer, just to be safe.
Click to expand...

Probably shouldn't throw out strong opinions on topics you don't understand
 
Armenius said:
To exploit this you need local access with admin privileges. So you need to be an admin to gain admin privileges? Yet another "exploit" that has been blown out of proportion. We'd better delete every piece of software off our computer, just to be safe.
Click to expand...
Normally you'd need privileged access to write to HKLM\SOFTWARE\Wow6432Node\Valve\Steam, but checking the permissions on my computer it's been changed to allow users write access.
 
It's a good thing we have safer alternatives like the EGS. I can uninstall Steam and still have some games to play.
 
 
Armenius said:
To exploit this you need local access with admin privileges. So you need to be an admin to gain admin privileges? Yet another "exploit" that has been blown out of proportion. We'd better delete every piece of software off our computer, just to be safe.
Click to expand...
FarFavoriteConey-size_restricted.gif
 
 
Aix. said:
Those are account security related and have nothing to do with the kind of exploit being discussed here.
Click to expand...

They show that Epic doesn't take security seriously, I certainly wouldn't put them up on a pedestal in that regard.
 
Ebernanut said:
They show that Epic doesn't take security seriously, I certainly wouldn't put them up on a pedestal in that regard.
Click to expand...

I don't know, man, I have 2FA on my account and it seems to work. Not sure where you're getting a pedestal from though; I simply stated that EGS was a safer alternative, as it doesn't have this same vulnerability that Steam does. I'm sure Valve will patch it out soon; could you imagine the world's best and most mature game client leaving so many customers exposed like this? Surely there will be an uproar soon.
 
Aix. said:
I don't know, man, I have 2FA on my account and it seems to work. Not sure where you're getting a pedestal from though; I simply stated that EGS was a safer alternative, as it doesn't have this same vulnerability that Steam does. I'm sure Valve will patch it out soon; could you imagine the world's best and most mature game client leaving so many customers exposed like this? Surely there will be an uproar soon.
Click to expand...

More likely a "security through obscurity" situation than anything. Given how little effort Epic seems to have put into EGS I wouldn't be at all surprised if they cut corners when it comes to security as well. As for this issue? I wouldn't be surprised if it took them a while to fix it. Sounds like a lot of employees at Valve are pretty unaware of what people are talking about online. Then there's the fact that they'd only have to work on fixing this issue if anyone working on Steam actually wanted to.
 
Ebernanut said:
They show that Epic doesn't take security seriously
Click to expand...
Very silly generalization there. More like Epic's biggest game (Fortnite) has a very large younger audience that doesn't understand the need for 2FA and they tend to use the same username/password on multiple web sites. Most of the "hacks" reported about the epic client tend to be (1) leaked database dumps from other third party websites where users used the same username/password in multiple places or (2) kids falling for "install this .exe for free vbucks".
 
Drexion said:
Very silly generalization there. More like Epic's biggest game (Fortnite) has a very large younger audience that doesn't understand the need for 2FA and they tend to use the same username/password on multiple web sites. Most of the "hacks" reported about the epic client tend to be (1) leaked database dumps from other third party websites where users used the same username/password in multiple places or (2) kids falling for "install this .exe for free vbucks".
Click to expand...

The fortnite hack was them leaving a poorly configured(i.e. insecure) 20 year old leaderboard server not only active but connected to the backend of their network, that's poor security no matter how you cut it. It's also only one of the security issues mentioned in the links above that took only a minute to find though I didn't find anything on the client issue I was originally looking for.

The issue at hand seems like a farily minor escalation exploit but one that should be patched and Valve's response seems lacking but it also seems ridiculous to hold up epic as a more secure alternative given their rather short yet checkered past regarding security and privacy.
 
What does this have to do with fortnite and epic?
 
This kind of exploit sounds like an oversight that can happen to any developer working on an app which has Microsoft's certification for running at elevated levels of access.

Ebernanut said:
it also seems ridiculous to hold up epic as a more secure alternative
Click to expand...
I thought he was joking when he posted that, poking sarcastic fun at the people who bash epic every chance they get, even in threads not relating to them.

M76 said:
What does this have to do with fortnite and epic?
Click to expand...
Nothing. Ever since epic have been partnering with some devs/publishers for exclusiveness, there's been a few people that show in up any thread relating to other PC gaming platforms with their "epic are evil" posts. Usually starting pointless arguments that go in circles.
 
Aix. said:
I don't know, man, I have 2FA on my account and it seems to work. Not sure where you're getting a pedestal from though; I simply stated that EGS was a safer alternative, as it doesn't have this same vulnerability that Steam does. I'm sure Valve will patch it out soon; could you imagine the world's best and most mature game client leaving so many customers exposed like this? Surely there will be an uproar soon.
Click to expand...

First time you have ever heard of a security vulnerability? This shit happens literally every day. It'll be patched in a couple of days.
 
Master_Pain said:
First time you have ever heard of a security vulnerability? This shit happens literally every day. It'll be patched in a couple of days.
Click to expand...

Nope, just wanted to see what would happen if I mentioned EGS.
 
Master_Pain said:
Remember this?
https://www.oneangrygamer.net/2019/...c-says-data-isnt-being-sent-to-tencent/79812/
Click to expand...

“Oh no, Steam friends are only sent to Epic if you explicitly import Steam friends, and then only hashed IDs of Steam friends, so that we can’t personally identify them but only match up pairs of players who both imported Steam friends.

“[Game list and time played] information may be in the Steam file, but the Epic Games launcher doesn’t parse that information and never sends it to Epic. The only information that is ever sent to Epic is hashed friend identifiers, and only when you explicitly import Steam friends."
 
Master_Pain said:
Remember this?
https://www.oneangrygamer.net/2019/...c-says-data-isnt-being-sent-to-tencent/79812/
Click to expand...
Much ado about nothing, all the social networks and big email providers do this. (simple example: for years it used to be that if you signed up on facebook, your contacts from your email accounts (hotmail/yahoo etc) got imported as suggested friends without your permission.

Things might have changed with the privacy lawsuits in recent years, I don't know if they do it anymore, but one platform importing friends lists from another platform is nothing new. At least nowadays they tend to let you opt out.
 
Aix. said:
“Oh no, Steam friends are only sent to Epic if you explicitly import Steam friends, and then only hashed IDs of Steam friends, so that we can’t personally identify them but only match up pairs of players who both imported Steam friends.

“[Game list and time played] information may be in the Steam file, but the Epic Games launcher doesn’t parse that information and never sends it to Epic. The only information that is ever sent to Epic is hashed friend identifiers, and only when you explicitly import Steam friends."
Click to expand...

whiteknight.jpg
 
Drexion said:
This kind of exploit sounds like an oversight that can happen to any developer working on an app which has Microsoft's certification for running at elevated levels of access.
Click to expand...
To an incompetent one, at least.
 
You must log in or register to reply here.
Back
Top