Steam Protocol Opens PCs to Remote Code Execution 128
Via the H comes news of a possible remote attack vector using the protocol handler installed by Valve's Steam platform: "During installation, it registers the steam:// URL protocol which is capable of connecting to game servers and launching games ... In the simplest case, an attacker can use this to interfere with the parameters that are submitted to the program. For example, the Source engine's command line allows users to select a specific log file and add items to it. The ReVuln researchers say that they successfully used this attack vector to infect a system (PDF) via a batch file that they had created in the autostart folder. ... In the even more popular Unreal engine, the researchers also found a way to inject and execute arbitrary code. Potential attackers would, of course, first have to establish which games are installed on the target computer. "
Before anyone panics... (Score:4, Informative)
A (user side) solution from TFA:
The issue can be limited by disabling the steam:// URL handler
Sounds alright to me. I can't recall ever clicking a steam:// link anyways.
Re:Before anyone panics... (Score:5, Informative)
If you want to place shortcuts to your desktop you will need it though.
Re:How is this an exploit? (Score:5, Informative)
I do not get how exactly this is an exploit. You need to create a batch file on the intended system start-up folder first. If you can do that. Why not just have the batch file execute a command to download a malicious file and execute it?
Because you have the wrong order. The exploit can be used to create the batch file, which is then auto-executed when windows next starts (autoexec.bat).
Re:Why is this even on Slashdot (Score:4, Informative)
The sentence is poorly phrased: what they mean is that they create the .bat file using some command line parameters (one of which dumps console output to the file of your choice, which could be "c:/autoexec.bat"). That then gets executed automatically on login, and boom, exploited.
The solution is pretty easy: make browsers that open external programs for a link show what they are doing and exactly what the command is, and/or have steam show the same when it loads the protocol command. Steam could also refuse to pass command line parameters, but that limits the usefulness of the protocol in the first place (might be necessary, unfortunately).
Re:Before anyone panics... (Score:3, Informative)