PDA

View Full Version : Steam Browser Protocol Insecurity Exploit



Kaira-
16-10-2012, 06:55 PM
http://revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf

Basically, it works very much like the UPlay-exploit earlier this year, though since steam://-protocol can't explicitly load just about anything, it requires a bit more work, but with chaining exploits from games with the command line arguments, you can do all kinds of malicious stuff with it. Be cautious when you click steam://-links, especially untrusted ones.

And a video of a proof of concept:
http://vimeo.com/51438866

[E] God damn how did I manage to typo the subject of the thread? Aw nuts. Anyhow, also you should note that most browsers warn when they use protocols and try to launch external programs.

[Edit of edit]
Also should be noted that I find it distasteful that this has been leaked before giving info to Valve, but considering Valve took over 6 months to fix the certificate validation-hole (http://www.highseverity.com/2012/03/valve-fixes-https-vulnerability-in.html) this might actually make them move pretty fast. But still, this is distasteful.

Unaco
17-10-2012, 03:35 PM
That's quite worrying. Surprised this hasn't made the front-page, like the UPlay incident. Maybe someone should email Alec... he handled the UPlay exploit articles when they happened. Seems like this isn't a major issue by itself... but with other vulnerabilities in Steam, and this exploiting them, it is serious.

Disabling the steam:// protocol in your browser would probably be recommended... Since it'll take Valve 12 months to plug this hole.

Jams O'Donnell
17-10-2012, 03:45 PM
(thread title typo corrected)

vinraith
17-10-2012, 03:53 PM
Thanks for the heads-up, Kaira-. I tend to avoid application-launching links anyway, but this is definitely something people need to know about.

As usual, I'm disappointed that Valve hasn't felt the need to notify their users. It seems like whenever something like this happens we have to find out through third parties. I expect no better of the likes of Ubisoft, but Valve's supposed to be less customer-hostile than most.

Cooper
17-10-2012, 05:11 PM
Be cautious when you click steam://-links, especially untrusted ones.This stands known vulnerability or no.

What I found most interesting about that report was the vastly different ways non-HTTP protocols are handled by browsers. It seems strange that mozilla put up large warning notices when file:// is used, but much less for other external application protocols (a simple "do you want this URL to load iTunes, Spotify, Steam or whatever yes / no option)

As for releasing it publicly before direct to Valve, their track record of dealing with non-public warnings of vulnerabilities is not great...

gundato
17-10-2012, 05:57 PM
As for releasing it publicly before direct to Valve, their track record of dealing with non-public warnings of vulnerabilities is not great...

Which is no justification at all.

Worst case scenario: Alert Valve, Valve doesn't fix it. It remains a threat, but an un-exploited one. And if, down the line, someone DOES exploit it, Valve are suddenly made aware

The only difference between that is the "good samaritan" deciding to guarantee that it becomes a threat that will probably be exploited, rather than just one of many silent threats that Valve should fix.

Finicky
17-10-2012, 09:11 PM
I thought this vulnerability was already mentioned when the Uplay one was discovered?
Back then it was also said that there was a clear distinction between the two based on access level of the commands.
Steam ones activate an application ID, which was supposed to be encrypted or something so it couldn't be fucked with, which made it pretty much harmless. You can get steam to run the app ID of the select few steam applications on the pc, but not add a new ID for anything else.
While the Uplay one literally just did "Run : blabla.exe"... which made it a hilarious vulnerability. Pretty absurd.

Looking at the video: Does this only allow the user to exploit weaknesses in games and steam installed applications that happen to be installed on the pc? (so in a very roundabout way, still can't actually launch anything that isn't a steam application directly).

I hope they fix it fast , no excuses for this kind of stuff, no free passes for valve.

I still feel the need regardless to point out the differences between the two:
Steam one: kudos to the guy being creative and finding a way to exploit this.
Uplay one: hilarious amateuristic way of programming and design

Unaco
17-10-2012, 11:18 PM
Looking at the video: Does this only allow the user to exploit weaknesses in games and steam installed applications that happen to be installed on the pc? (so in a very roundabout way, still can't actually launch anything that isn't a steam application directly).

From my reading of it, yes, this is the main way it would be a (major?) risk. However, it isn't just limited to launching Steam games, it can exploit all of the functions of Steam and the steam://URL handling (of which running a Steam game/engine is one). The articles and the video mention the retailInstall function as well, which could be exploited (there was also something going on with people clicking Steam Community links in Steam chat, or outside perhaps, and having their Steam profile avatar hi-jacked over the weekend). These sorts of things aren't too bad on their own, but in combination with this exploit, they become somewhat more viable... This is an exploit that would allow for these other exploits to be... exploited.

postinternetsyndrome
17-10-2012, 11:32 PM
Yeah, not a fan of them going the sensationalist route and telling every potential hacker what to do. They should at least tell valve and say "we will go public in a month" or something like that. Give them an honest chance.

Sketch
17-10-2012, 11:34 PM
Does the link confirm this is Safari only? I'm on my phone so it's a bit of a pain to check.

Unaco
17-10-2012, 11:39 PM
Does the link confirm this is Safari only? I'm on my phone so it's a bit of a pain to check.

Not quite. Other browsers will ask "Do you want to run this through Steam?" and give the requested URL, so you can decipher it and decide if it's legit or not. Chrome and IE9 provide the whole URL, Firefox cuts it off after 40 characters. The problem with Safari is it doesn't ask, it just runs it through Steam... so there isn't that extra level of protection and confirmation required from the user. It can be exploited through other browsers, it's just not as likely, or as easy to.