- Security researcher learned that the registry key for Steam service has explicit “Full control” for “Users” group, and these permissions are applicable for all subkeys and their subkeys.
- Successful exploitation of this vulnerability could allow an attacker to run any program with highest privileges on any Windows system with Steam installed.
A security researcher named Felix detected a zero-day privilege escalation vulnerability in the Steam game client for Windows. This vulnerability could allow an attacker to run a program with administrator privileges.
More details on the vulnerability
Successful exploitation of this vulnerability could allow an attacker to run any program with highest privileges on any Windows system with Steam installed.
- Felix learned that the registry key (HKLM\SOFTWARE\Wow6432Node\Valve\Steam) for Steam service has explicit “Full control” for “Users” group, and these permissions are applicable for all subkeys and their subkeys.
- To confirm this, the security researcher created a test key (HKLM\Software\Wow6432Node\Valve\Steam\Apps\test) and restarted the service.
- This gave the researcher full (read and write) access to the key.
“So, now we have a primitive to take control on almost every key in the registry, and it is easy to convert it into a complete EoP (Escalation of Privileges). I choose key HKLM\SYSTEM\ControlSet001\Services\msiserver that corresponds with the service “Windows Installer”, which can be started by any user, same as Steam’s service, but run program as NT AUTHORITY\SYSTEM,” the researcher said in a report.
The security researcher reported the vulnerability to the parent company Valve Corporation via HackerOne on June 15, 2019. Valve marked the vulnerability as “Not Applicable” citing “Attacks that require the ability to drop files in arbitrary locations on the user's filesystem” and “Attacks that require physical access to the user’s device.”
However, after 45 days of the initial disclosure, the security researcher has made the vulnerability public as there are 125 million active accounts on Steam and this could impact all the potential users.
Another security researcher named Matt Nelson created a proof-of-concept (PoC) code for the vulnerability and shared it on GitHub.