Steam Service Security

[aluigi]

Something different than the usual remote vulnerabilities I report, this time it's a local design issue that allows to execute code as SYSTEM (a sort of Administrator) through the Steam Client Service.

Status: still vulnerable as far as I know.

Full details here:
http://revuln.com/files/ReVuln_Steam_Se ... curity.pdf

What I think is particularly interesting of that paper is the tool I released and the information about the IPC interface of the service.

The following are the methods that can be called:

Code: Select all

IClientInstallUtils::SetUniverse
IClientInstallUtils::AddShortcut
IClientInstallUtils::RemoveShortcut
IClientInstallUtils::RemoveFromGameExplorer
IClientInstallUtils::AddRichSavedGames
IClientInstallUtils::RemoveRichSavedGames
IClientInstallUtils::AddToMediaCenter
IClientInstallUtils::RemoveFromMediaCenter
IClientInstallUtils::AddUninstallEntry
IClientInstallUtils::RemoveUninstallEntry
IClientInstallUtils::AddToFirewall
IClientInstallUtils::RemoveFromFirewall
IClientInstallUtils::RegisterSteamProtocolHandler
IClientInstallUtils::FixupSteamClientShortcuts
IClientInstallUtils::RunInstallScript
IClientInstallUtils::AddInstallScriptToWhiteList
IClientInstallUtils::GetInstallScriptExitCode
IClientModuleManager::LoadModule
IClientModuleManager::UnloadModule
IClientModuleManager::CallFunctionAsync
IClientModuleManager::CallFunction
IClientModuleManager::PollResponseAsync
IClientProcessMonitor::RegisterProcess
IClientProcessMonitor::UnregisterProcess
IClientProcessMonitor::TerminateProcess
IRegistryInterface::BGetValueUint
IRegistryInterface::BSetValueBin
IRegistryInterface::BDeleteValue
IRegistryInterface::BDeleteKey
IRegistryInterface::BKeyExists
IRegistryInterface::BSetValueStr
IRegistryInterface::BSetValueUint
IRegistryInterface::BGetSubKeys
IRegistryInterface::BGetValues
IRegistryInterface::BEnumerateKey
IRegistryInterface::BGetValueStr
IRegistryInterface::BGetValueBin
IRegistryInterface::BenumerateValue

The tool contains all the arguments and is well made, except for the "exit" part because the service remain freezed and you must kill it manually (as SYSTEM obviously)... yeah that part needed more work so feel free to have fun with it.

Link:
http://aluigi.org/poc/steam_service_poc.zip

[michalss]

means you can play even if you got VAC ? Is there any way ? it is very interestin i guess, i dont really need this but it could be usefull

[aluigi]

As far as I know VAC is checked server-side so you can do nothing for a banned account (the server probably asks Valve if the account is banned and, if yes, kicks you out).
But if you talk about preventing VAC to ban your account when it's still "clean"... maybe

[michalss]

As far as I know VAC is checked server-side so you can do nothing for a banned account (the server probably asks Valve if the account is banned and, if yes, kicks you out).
But if you talk about preventing VAC to ban your account when it's still "clean"... maybe

Yeah this could be very interesting Any additional info pls?

[aluigi]

Unfortunately no. The only things I checked are those that I published.

[aluigi]

An html version of the paper is available here:
https://revuln.blogspot.com/2018/12/ste ... -2014.html