Feeling Vulnerable? Steam's Protocol Could Allow Attacks
Is Steam killing your children?, I was tempted to title this article. We're not sensational enough here. But it does seem that Steam offers some serious vulnerabilities to your PC, if a paper published by security research company ReVuln is accurate. As reported by PCWorld, it seems the steam:// protocol might be a way in for nefarious types.
Protocols are of course a type of bacteria used by websites to load information. The Hypertext Transfer Protocol (http) with which we're most familiar was discovered growing on a leaf in Tim Berners-Lee's back garden. Since then a number of other species have been found, including that used by Valve, coincidentally named steam://. This means that whenever you click on a URL that begins "steam://" your computer knows it's for Steam to handle and execute.
And because those commands can contain lots of extra information - as anyone who's ever augmented a Steam path to load a game in dev or safe mode, for instance, will know - it means naughty people can also put instructions into such URLs that you might not want. What ReVuln is claiming is that such instructions can be used to exploit vulnerabilities within Steam, or even in Steam games, and do damage. They show how this is possible in a handy video:
ReVuln - Steam Browser Protocol Insecurity from ReVuln on Vimeo.
The issue seems to stem from browsers and applications that hand over to Steam without checking with you first. And of course when you've told your browsers and applications to do exactly that. So you can see above how exploiting this stuff allows them to install executables on your machine, or... well, I'll quote the paper as it's far beyond me:
"The retailinstall command is an undocumented feature (not a bug) of the Steam Browser Protocol that allows installing and restoring backups from a local directory. One of its parameter is path that is used to specify this local directory but obviously this directory can be a Windows network folder available on a remote host. When Steam executes the retailinstall command, Steam checks and loads two ﬁles: splash.tga (an image) and sku.sis (an install ﬁle). The splash image gets displayedimmediately (Figure 3 ) to the user as soon as the command gets executed.
The Steam function in charge of processing the splash images is vulnerable to an integer overﬂow vulnerability while processing malformed TGA ﬁles. The problem is located in LoadTGA function of vgui2_s.dll that loads TGA ﬁles in memory (Figure 4). The result is a heap-based buffer-overﬂow that may allow executing malicious code on the Steam process."
That's just one example of the issues they found.
They're not all about knocking things down, however. They also offer solutions. And the first and foremost is ensuring that you don't allow steam:// URL handlers on your machine to directly execute Steam stuff, while Steam itself could avoid passing "command-line arguments to third party software and undocumented commands accessible from external and untrusted sources like the internet."
So, er, I guess it's over to Valve now. We've asked them for a comment. They don't often reply.