Forgot your password?
typodupeerror
DRM Security

Steam Protocol Opens PCs to Remote Code Execution 128

Posted by Unknown Lamer
from the basically-working-as-designed dept.
Via the H comes news of a possible remote attack vector using the protocol handler installed by Valve's Steam platform: "During installation, it registers the steam:// URL protocol which is capable of connecting to game servers and launching games ... In the simplest case, an attacker can use this to interfere with the parameters that are submitted to the program. For example, the Source engine's command line allows users to select a specific log file and add items to it. The ReVuln researchers say that they successfully used this attack vector to infect a system (PDF) via a batch file that they had created in the autostart folder. ... In the even more popular Unreal engine, the researchers also found a way to inject and execute arbitrary code. Potential attackers would, of course, first have to establish which games are installed on the target computer. "
This discussion has been archived. No new comments can be posted.

Steam Protocol Opens PCs to Remote Code Execution

Comments Filter:
  • by MachDelta (704883) on Wednesday October 17, 2012 @12:05PM (#41682343)

    A (user side) solution from TFA:

    The issue can be limited by disabling the steam:// URL handler

    Sounds alright to me. I can't recall ever clicking a steam:// link anyways.

    • by casings (257363)

      Well for an ideal exploit, you wouldn't know.

      • by Anonymous Coward
        steam://nakedmileycyruspics.ua would be OK, right?
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Sounds alright to me. I can't recall ever clicking a steam:// link anyways.

      I'm sure a couple lines of basic javascript would be able to do that on your behalf though.

      • .... or embedding it in an <img href="steam://nakedmileycyruspics.ua">> tag in an ad that targets people who search for the particular game being exploited. Perhaps some nice targeted advertising for "unreal walkthrough" (and all the other games that use the unreal engine)
      • by hairyfeet (841228)

        Well I'd argue this is why you shouldn't allow JavaScript in your application, there are too many ways to hijack JavaScript and one page filled with JavaScript malware and its all she wrote, there have even been multiplatform JavaScript malware pages looking for common attack vectors like Java and Flash.

        Frankly what we need is somebody, maybe Google since they seem to be doing a lot of research lately, to come up with a replacement for JavaScript. It was never designed for security and they just keep boltin

    • by sourcerror (1718066) on Wednesday October 17, 2012 @12:10PM (#41682445)

      If you want to place shortcuts to your desktop you will need it though.

      • by humanrev (2606607)

        There's no reason to believe that you need something like a steam:// handler to launch via shortcut. Surely Steam can be coded such that shortcuts instead point to the Steam executable with a parameter to the relevant game ID (e.g. C:\Steam\Steam.exe -launch 9520). This would bypass the issue of abuse at least partially.

        The purpose for the handler is only because Steam is part browser, and so launching stuff within Steam is made easier via the handler. But for shortcuts? Shouldn't be necessary.

    • Re: (Score:3, Informative)

      by The MAZZTer (911996)
      If you have used Steam you have clicked on a steam:// link at some point. The built-in web browser uses links all over the place. The install button for installing your now-purchased games uses it. Every link that opens in a new browser window uses it.
      • by cbhacking (979169)

        For extra fun, which somehow didn't make it into the (atrociously bad) summary, those Install links can be used for exploits themselves. It turns out that there's a memory corruption bug in Steam (integer overflow on a malloc call), specifically in the .TGA image decoder. Steam URIs can be used to install a game from a "local cache" which can be at an arbitrary UNC path, including over the Internet (\\spoitserver.com\steam\steamexploit.tga) if the target server has Windows networking open to Internet traffi

    • Also: Steam will reregister the steam:// protocol every time you start it up, since it would be very broken without it.
  • by black6host (469985) on Wednesday October 17, 2012 @12:12PM (#41682465)

    From the summary:
    " Potential attackers would, of course, first have to establish which games are installed on the target computer. "

    Create a list of games by popularity, you're bound to find one of them somewhere. In other words, they may not be able to target a specific computer but the odds are good that they'd find many they could target. Even a specific computer, if you know anything about the owner, quite likely might have popular games x,y and z on it based the owner's preferences.....

    • by cod3r_ (2031620)
      or just assume skyrim ... profit
      • No Skyrim here, but I wonder if HL.exe is even more common. I can't remember the last time I played Half life, Half Life 2, or DOD, but it loads every time for TF2.
        • by gman003 (1693318)

          It has to be the specific game - it goes by the Steam game ID, not by the executable name (which is hl2.exe for *most* Source games).

      • It looks like this is an attack against the games itself, via command line parameter injection, so Skyrim would have to support command line options that would let the attacker do something useful to the system. It sounds like the Source engine is somehow vulnerable by supporting command line options to write to log files, and somehow the Unreal engine lets you execute arbitrary code from the command line. The new XCOM just came out though (and is awesome), I believe that uses the Unreal engine.

    • From the summary:
      " Potential attackers would, of course, first have to establish which games are installed on the target computer. "

      Create a list of games by popularity, you're bound to find one of them somewhere. In other words, they may not be able to target a specific computer but the odds are good that they'd find many they could target. Even a specific computer, if you know anything about the owner, quite likely might have popular games x,y and z on it based the owner's preferences.....

      Worse, unless there is absolutely no way to have the process fail silently, there isn't really much penalty attached to iterating your merry way through quite a long list of possibilities...

      Even if a message of some kind does pop up, what's Joe User going to do under the flood of error windows all suddenly stealing focus?

    • by Happler (895924)

      Or just look up user names on Steam community to see who has not marked themselves as "private". It shows all games that they own in their profile and what they have played recently.

    • by cbhacking (979169)

      The summary is wrong/stupid. Not only is it poorly worded, it also adds BS like the line you quoted.

      The researchers found an exploit in Steam itself. Specificlaly, in the image decoder used to show the game logo during game installation. Since steam:// URIs can be used to tell Steam to install a game from a "local" download, but allows specifying arbitrary UNC paths (which can specify Internet addresses), you can set up a server that hosts a corrupted image file and post steam:// links that use your server

  • PANIC!!!! PANIC!!! PANIC!!!

  • by ZiakII (829432)
    I do not get how exactly this is an exploit. You need to create a batch file on the intended system start-up folder first. If you can do that. Why not just have the batch file execute a command to download a malicious file and execute it?

    Not sure what the real issue is...
    • by Baloroth (2370816) on Wednesday October 17, 2012 @12:36PM (#41682817)

      I do not get how exactly this is an exploit. You need to create a batch file on the intended system start-up folder first. If you can do that. Why not just have the batch file execute a command to download a malicious file and execute it?

      Because you have the wrong order. The exploit can be used to create the batch file, which is then auto-executed when windows next starts (autoexec.bat).

  • URL handlers (Score:4, Insightful)

    by 0123456 (636235) on Wednesday October 17, 2012 @01:02PM (#41683117)

    Oh look, yet another vulnerability caused by allowing web pages to start random applications on your system.

    Who ever thought that was a good idea?

  • Try all the popular games, you're likely to get 1 hit - and that's all you need.

    • by Barny (103770)

      Yeah, and when I get thousands of popups to execute steam links, I will just close the tab and send a report to google that it is an attack site...

  • by Barny (103770) <bakadamage-slashdot@yahoo.com> on Wednesday October 17, 2012 @01:54PM (#41683767) Homepage Journal

    Uh, call me crazy, but I just checked the manager in firefox and steam links are set to 'ask first'. I tested, got a popup asking me if I want to run the link with application 'Steam'... unless it was something I wanted, I would generally click 'no'.

    Not a very good exploit, imho.

  • by Kaz Kylheku (1484) on Wednesday October 17, 2012 @03:03PM (#41684673) Homepage

    Simples as that.

  • Valve just pushed out an update for Half-Life 2: Deathmatch, Day of Defeat: Source, and Team Fortress 2 that is supposed to fix the con_logfile bug in those games.

    Unfortunately, their other multiplayer games remain unpatched, most notably Counter-Strike: Source and Counter-Strike: Global Offensive.

This place just isn't big enough for all of us. We've got to find a way off this planet.

Working...