Massive Steam security hole closed a decade late

Put your hacks on the ground and step away from the keyboard!

For most of the past decade, it has theoretically been possible to hijack someone’s PC via Steam, according to IT security consultant firm Context Information Security. Don’t panic or go setting your PC on fire, though – as far as anyone is aware, no machines were hacked through this method. While no known harm from using the exploit exists, it’s a solid reminder as to why internet security is something that everyone needs to keep on top of, no matter how big or small your outfit.

Tom Court, the security boffin who identified and helped Valve close up the loophole also provided a proof-of-concept video, showing a relatively benign application of the exploit (launching Windows Calculator on a vulnerable machine), and it’s not hard to see how this could be used for evil instead of basic mathematics.  The exact mechanics of how the exploit work are far too technical for me to wrap my mostly word-and-sawdust-filled brain about, but coders may find something of interest in Court’s official blog-post on the subject here.

The loophole was mostly closed back in July of last year, when Valve recompiled Steam using modern exploit protections. It could still have theoretically caused some damage (it would cause a crash if activated, rather than allowing full remote code execution) but the threat was greatly reduced. Context first discovered the issue back in February of this year and informed Valve, and while an initial patch was quick to come out, the stable branch of Steam didn’t receive the fix until the 22nd of March.

Credit where credit’s due, though; Context Information Security contacted Valve the moment they’d found this exploit, and within 8 hours a beta-branch patch had been published, making them one of the fastest-to-react companies that Context have ever had to deal with. Valve may have nobody willing to answer emails, but apparently they’ve got some very fast-working coders on staff. The full patch-notes for the client update on March 21st can be found here.

Thanks to Motherboard for spotting this story.

22 Comments

  1. leeder krenon says:

    “Valve may have nobody willing to answer emails, but apparently they’ve got some very fast-working coders on staff”

    Probably grateful to actually be able to write some code for a change.

  2. Shadrach says:

    It does beg the question how many more clients have security holes – Origin, Uplay, Rockstar, GOG and all the other crapware we are forced to install to play games these days.

    • spacein_vader says:

      Honestly? Probably all of them, along with any other non-trivial code on an internet facing computer. What matters is if anyone has found & exploited them yet and that devs patch them quickly when notified.

      The only way to be safe from remote exploits is to not connect it to the internet in the first place.

    • Quickly says:

      No one is forced to install GOG’s Galaxy client to play games bought on GOG.com though, it has always been optional. Standalone installers are available for every game. Even with Galaxy installed it’s never needed to launch game’s installed through it.

      Your other point about vulnerable code still stands however.

      • mac4 says:

        Oddly however, despite their DRM-free stance some of my GOG games on start-up in fact do launch the GOG client. No one else ever noticed this?

        If they’d still run if the client weren’t installed at all I’ve never tried. It’s certainly struck me as peculiar.

        • Quickly says:

          Haven’t ever heard of this before but I’d certainly be interested to know which games this occurs with.

          • mac4 says:

            I’ll tell myself to take note a next time. Could be a while, currently fully (if somewhat unexpectedly) engaged with Destiny 2 :)

            I know they’re not many, but they are a few.

        • Xocrates says:

          How are you launching them? The shortcuts created when downloading the game via Galaxy are generally set up so as to launch the client when opening the game, but launching the game directly from the game folder (or a shortcut targeting it) tends to skip it.

          • mac4 says:

            Through the shortcuts created yes, so that could explain it, thanks. Still strange then that it would happen to just a very few. Anyway, it’s no great skin off my back, it had just struck me as odd.

          • Xocrates says:

            Well, checking my own games, I think this mostly happens with recent games. Older games tend to skip the client regardless (even if launched through the client).

          • Joibel says:

            I would have thought games with GOG Galaxy integration (cloud saves for example) would do this to make that bit work.

    • Beefenstein says:

      “It does beg the question…”

      No it doesn’t, it raises the question.
      Begging the question means to assume your conclusion in the premise, leading to a form of circular reasoning.

      link to en.wikipedia.org

      • Don Reba says:

        It has several meanings, like “literally” and “a couple”. It would be nicer if it didn’t, but yelling at people probably won’t fix the language.

      • MrEvilGuy says:

        Lol in the link you provide it clearly states to “beg the question” can mean “raise the question” in vernacular use.

    • Hedgeclipper says:

      The clients and I’d bet a lot of the games with multiplayer as well, especially the ones with the sort of anti cheating and/or anti piracy software that checks through your sock draw for anything suspicious.

      • mac4 says:

        Hmmm. To designate something crapware, in my book it would need to be shown to be such.

        If not, I guess you’re just looking at software, take it or leave it.

        • Hedgeclipper says:

          I wasn’t calling it crapware, just echoing vader – if it connects to the internet its a potential vector.

          • mac4 says:

            Ah, right, yes, agreed.

            Thought you were chiming in with Shadrach the OP ;)

  3. ey says:

    Since the vulnerability is in the protocol talking between the Steam client and Valve’s servers, this would have only been exploitable if you were on an untrustworthy network like public wifi.

  4. emertonom says:

    When I got my Steam Link (it was just $15 in a sale a while ago), I was dismayed to learn that it’s incapable of connecting to your computer if your screen is locked. This is not a great thing in a device that’s supposed to let you play computer games from a remote room. The options were to run downstairs to log in every time I wanted to use it, or run remote desktop to log in from my phone, or disable the password lock, or disable sleep. I went with disabling sleep, but I’m not thrilled about it, as it, too, seems likely to be a massive security hole. Hopefully NAT helps a little.

    Security tends to require sacrificing a lot of convenience these days.

  5. Addie says:

    Probably a bit late now, but the nature of the bug is a buffer overflow, same as 99% of network exploits out there. This one is a bit unusual, in that it’s not a string overflow (“the classic”) but in the way it implements the custom “steam network protocol”.

    Essentially, computers on the internet communicate by sending (very) short packets of data from a source computer to a destination computer. Two protocols are built on top of this:

    – Transmission Control Protocol (TCP), which is sophisticated: it starts with a packet ‘handshake’ between the computers, and then reconstructs whole files from the individual packets as they’re sent, requesting any that have gone missing again, and has features for throttling slow connections, amongst other things. This is the protocol used for requesting webpages, and transferring files between computers, where getting the whole of the communication is important. It’s a little slow, due to the overhead, and only transfers whole files.

    – User Datagram Protocol, where the packets are just sent to the destination computer and forgotten about. Any that go missing are lost forever. This is very simple, but is appropriate for simple communications, and also real-time ones, such as streaming video (if packets get lost, they’d be out of date if rerequested, and so the video just stutters instead). It’s also typical for games: QuakeWorld has quite a sophisticated early implementation where each client transmits each other a small delta of the state since the last packet; if they’re not received, increasingly larger packets are requested to synchronise state. This allows the game to run well over an unreliable network connection. Interestingly, many firewalls will let UDP out, when they’ll block unauthorised TCP.

    The Steam protocol is built on UDP. The packets contain a sequence number and length. Every packet except the first one is checked for being ‘in bounds’, but the first one is not, and can be placed ‘off the end of the buffer’ by an attacker. Presumably the client can be receiving many different signals at once, and so these buffers will be allocated as needed. Exploiting this would require a very lucky guess about where the buffer has been put, so that you can start calling functions from your arbitrary code. Crashing steam 99.9% of the time so that you can run your exploits 0.1% of the time would be a little obvious too, as it’s a user-facing application.

Comment on this story

HTML: Allowed code: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>