After Valve banned him from its bug bounty program, a researcher has found a second zero-day vulnerability affecting the Steam gaming client.
Valve Bug Bounty- A researcher has disclosed a zero-day privilege-escalation vulnerability for the Steam gaming client after he said he was barred from the bug bounty program of Steam’s owner, Valve.
The vulnerability is the second zero-day privilege-escalation vulnerability that has been released by independent researcher Vasily Kravets in two weeks for the Steam gaming client, which is a video game digital distribution platform developed by Valve Corporation.
Despite being banned from Valve’s bug bounty program on the HackerOne platform, Kravets on Tuesday disclosed a new flaw in the Steam client that he said would be simple for any OS user to exploit. “Not long ago I published an article about Steam vulnerability,” said Kravets in a Tuesday evening post. “I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence. Eventually things escalated with Valve and I got banned by them on HackerOne — I can no longer participate in their vulnerability rejection program (the rest of H1 is still available though).”
Kravets disclosed his first zero-day vulnerability earlier in August affecting Steam. The flaw, disclosed Aug. 7, is a privilege-escalation vulnerability that can allow an attacker to level up and run any program with the highest possible rights on any Windows computer with Steam installed. It was released after Valve said it wouldn’t fix it (Valve then published a patch, that the same researcher said can be bypassed).
Like last week’s vulnerability, the newest flaw found by Kravets, also enables local privilege escalation. Kravets told Threatpost he is not aware of a patch for the vulnerability.
This most recent vulnerability stems from a combination of insecure permissions in Steam’s folders, insecure permissions in Steam’s branch of registry and insufficient checks during Steam’s self-update process, Kravets told Threatpost.
No specific privileges and requirements are needed for an attacker to take control of the game client – while the privilege escalation attack is local, someone wouldn’t need physical access: “Any user on a PC could do all actions from exploit’s description (even ‘Guest’ I think, but I didn’t check this). So [the] only requirement is Steam,” Kravets told Threatpost.
To prepare the exploitation environment Kravets said he first obtained the CreateMountPoint.exe and SetOpLock.exe files. Then, he made small changes to Steam file structure: “Our goal is to have folder with Steam.exe and steamclient.dll, and without ‘bin’ folder,” he said.