Steam Protocol Opens PCs to Remote Code Execution 128
Via the H comes news of a possible remote attack vector using the protocol handler installed by Valve's Steam platform: "During installation, it registers the steam:// URL protocol which is capable of connecting to game servers and launching games ... In the simplest case, an attacker can use this to interfere with the parameters that are submitted to the program. For example, the Source engine's command line allows users to select a specific log file and add items to it. The ReVuln researchers say that they successfully used this attack vector to infect a system (PDF) via a batch file that they had created in the autostart folder. ... In the even more popular Unreal engine, the researchers also found a way to inject and execute arbitrary code. Potential attackers would, of course, first have to establish which games are installed on the target computer. "
Before anyone panics... (Score:4, Informative)
A (user side) solution from TFA:
The issue can be limited by disabling the steam:// URL handler
Sounds alright to me. I can't recall ever clicking a steam:// link anyways.
Re: (Score:1)
Well for an ideal exploit, you wouldn't know.
Re: (Score:1)
Re: (Score:2, Insightful)
Sounds alright to me. I can't recall ever clicking a steam:// link anyways.
I'm sure a couple lines of basic javascript would be able to do that on your behalf though.
Re: (Score:2)
Re: (Score:1)
Re:Before anyone panics... (Score:5, Informative)
If you want to place shortcuts to your desktop you will need it though.
Re: (Score:2)
Re: (Score:2)
It's easier to click on the desktop link then it is to launch steam, go to library, find your game, right click and do launch.
Re: (Score:2)
Steam's always running, tons of windows are opened in a very specific order spanning quite a lot of desktop space. I'm never seeing my desktop files. Opening the start menu (windows button) then typing the first few letters of what I want to launch is how I start anything not in steam.
Beside, you can simply double click on your game name in steam
Re: (Score:2)
Or just right-click the steam icon in the tray. It keeps several of your recent launches at the top ready to quick-launch.
Re: (Score:2)
"Steam's always running...."
Huh? How does it hide from top?
When I start it via Desktop shortcut, it shows up in taskbar and system monitor process tab. When I right-click and exit it from taskbar, it's gone. Do you mean to say it's hidden or masked as another process?
"/home/myusername/.cxoffice/Steam/desktopdata/cxmenu/Desktop.C^5E3A^5Fusers^5FPublic^5FDesktop/Steam.lnk" is the command for the shortcut. Is there something in there that I should be leery of? [sorry 'bout the control codes, didn't edit
Re: (Score:2)
launch steam, go to library, find your game, right click and do launch.
I was merely pointing out that for at least some people, starting steam is unnecessary as we/they keep it running and even keep it starting on launch. Finding your game is easy when you mark them, or know where they are just because you remember where they are ;) Right click to launch too was unnecessary. Usually, games are 3 quick mouse clicks away.
Re: (Score:2)
Oh, OK. After I start Steam, I usually left-click on taskbar icon and select game from my default Library tab. While I sometimes leave it running for days, I notice there's a tendency for the connection to drop, so I have to re-start it anyway. Costs me a couple of extra clicks, but the arthritis is not bad yet. [grin]
Re: (Score:2)
Anyway, that's not needed for a shortcut. Just a simple shell script will suffice. You can also attach an icon to it and stick it in your taskbar. No need for a URL to launch a local application.
N.B.: This comment may not apply to gnome3. I've heard some pretty strange stories about the built-in limitations that *it* has. (No task bar? You're kidding, right?)
Re: (Score:1)
click on steam icon in tray, game list scrolls up, click the name of the game you want. its only two clicks..
Re: (Score:2)
I don't leave steam running you insensitive clod.
Re: (Score:2)
When installers ask me if I want a short-cut to their wiz-bang application I cringe.
I cringe more when they don't ask and just do it anyway. Serious pet-peeve.
Re: (Score:2)
When installers ask me if I want a short-cut to their wiz-bang application I cringe.
I cringe more when they don't ask and just do it anyway. Serious pet-peeve.
It seems that everything on Android does this. The first thing I do after installing something is to remove the shortcut from the main pages. I have a whole screen with nothing but my apps - why would I want that on my main screen too?
Re: (Score:2)
That is a setting in the play store for android. Easy to turn off.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
There is a setting to prevent that under the App Store
Re: (Score:2)
In contrast, I have never seen an icon that I did not create or that did not come that way out of the box.
You probably have that option in the play store turned on that the other folks are mentioning.
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
I've had problems with that on Windows 7. When I fresh open steam after a restart sometimes it won't show any games recently played. Then after playing a game that game will show up. Then later, after something happens, I'll get my 6 most recent games to pop up. The unreliability of the method means I no longer use it. I also don't care enough to figure out why it does it.
Re: (Score:2)
There's no reason to believe that you need something like a steam:// handler to launch via shortcut. Surely Steam can be coded such that shortcuts instead point to the Steam executable with a parameter to the relevant game ID (e.g. C:\Steam\Steam.exe -launch 9520). This would bypass the issue of abuse at least partially.
The purpose for the handler is only because Steam is part browser, and so launching stuff within Steam is made easier via the handler. But for shortcuts? Shouldn't be necessary.
Re: (Score:3, Informative)
Re: (Score:1)
No, I haven't. I run steam exclusively in Wine and I've never bothered to manually set up the steam:// association. I make all my purchases in a browser, and none of the fancy "click HERE to play your game!" links work.
Great.
So, did you download the game outside of Steam somehow, or did you click an Install Game button at some point? Because if you clicked said install button from, say, within Steam's Store "application" (which is itself a Webkit browser), then you clicked on a steam:// link.
Re: (Score:3)
More to the point, while the GP may not have bothered to set up the steam:// URI association in the host Linux system, within the Wine environment it will be working. Now, granted, most people who use Wine for gaming probably aren't also using it for something like running IE4Linux, but if you *were* to do that, you would (potentially) be vulnerable.
Admittedly, the risk is pretty damn minimal in that environment.
Re: (Score:3)
For extra fun, which somehow didn't make it into the (atrociously bad) summary, those Install links can be used for exploits themselves. It turns out that there's a memory corruption bug in Steam (integer overflow on a malloc call), specifically in the .TGA image decoder. Steam URIs can be used to install a game from a "local cache" which can be at an arbitrary UNC path, including over the Internet (\\spoitserver.com\steam\steamexploit.tga) if the target server has Windows networking open to Internet traffi
Re: (Score:2)
Which games are installed... (Score:3)
From the summary:
" Potential attackers would, of course, first have to establish which games are installed on the target computer. "
Create a list of games by popularity, you're bound to find one of them somewhere. In other words, they may not be able to target a specific computer but the odds are good that they'd find many they could target. Even a specific computer, if you know anything about the owner, quite likely might have popular games x,y and z on it based the owner's preferences.....
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
It has to be the specific game - it goes by the Steam game ID, not by the executable name (which is hl2.exe for *most* Source games).
Re: (Score:3)
It looks like this is an attack against the games itself, via command line parameter injection, so Skyrim would have to support command line options that would let the attacker do something useful to the system. It sounds like the Source engine is somehow vulnerable by supporting command line options to write to log files, and somehow the Unreal engine lets you execute arbitrary code from the command line. The new XCOM just came out though (and is awesome), I believe that uses the Unreal engine.
Re: (Score:1)
Re: (Score:2)
From the summary:
" Potential attackers would, of course, first have to establish which games are installed on the target computer. "
Create a list of games by popularity, you're bound to find one of them somewhere. In other words, they may not be able to target a specific computer but the odds are good that they'd find many they could target. Even a specific computer, if you know anything about the owner, quite likely might have popular games x,y and z on it based the owner's preferences.....
Worse, unless there is absolutely no way to have the process fail silently, there isn't really much penalty attached to iterating your merry way through quite a long list of possibilities...
Even if a message of some kind does pop up, what's Joe User going to do under the flood of error windows all suddenly stealing focus?
Re: (Score:1)
Or just look up user names on Steam community to see who has not marked themselves as "private". It shows all games that they own in their profile and what they have played recently.
Re: (Score:2)
The summary is wrong/stupid. Not only is it poorly worded, it also adds BS like the line you quoted.
The researchers found an exploit in Steam itself. Specificlaly, in the image decoder used to show the game logo during game installation. Since steam:// URIs can be used to tell Steam to install a game from a "local" download, but allows specifying arbitrary UNC paths (which can specify Internet addresses), you can set up a server that hosts a corrupted image file and post steam:// links that use your server
Too late.. (Score:2)
PANIC!!!! PANIC!!! PANIC!!!
Re: (Score:3, Insightful)
Nonsense. Unless you count potentially buggy(buggier?) games with frequently painful install procedures, possible Trojans and viruses and often other game experience limitations.
That hasn't been my experience actually. Most problems I ever had with games were caused by the DRM. Pirate versions eliminate that.
Pirated games are only free if your time is worthless.
In other words "I had a hard time with it so everybody else does too". That just isn't true.
.exe and copying over the cracked version ONE SINGLE TIME just isn't a big deal. The problems I have had with DRM took up a lot more time than that.
Besides we are talking about games here. Free time is assumed. A few seconds deleting an
My experience with pirated games is so
Re: (Score:2)
Re: (Score:2)
Try it: Log in to Steam, unplug your network cable / disconnect from wireless, and restart Steam. Offline mode won't even load. So, that one time when you have some free time but can't watch iPlayer / YouTube / Hulu etc because the inter
Re: (Score:2)
Many Steam-downloaded single-player games can be launched directly, and do not require Steam to be up or connected to play. I checked a random sampling of mine and didn't actually encounter any that didn't have their own separate online-required DRM but required steam to play. Launching them manually is not exactly straight forward, but for many (I'd say most, but I haven't done a study or even really hit a large enough sample size of mutliple genres and publishers) offline Steam-purchased-and-downloaded
Re: (Score:2)
This just in: Downloading and running exe's from a torrent you found online could allow remote code execution as well.
Re: (Score:1)
Are you stupid on purpose? Or a troll? Or some sort of shill? Or just don't know what you're talking about....
I've been pirating games since the days of the 1200 baud modem. And in all that time. In all those THOUSANDS of games.
I've never found one trojan, virus, or other infected thing in a pirated game. Never. Not once. I am either the most lucky user in the world. OR damm few pirated things are infected. Since i don't feel that lucky.. I'm going with option #2.
However i HAVE purchased a ga
Re: (Score:1)
Re: (Score:2)
In actual fact, that's quite rare in piracy circles, so cut out the FUD. These groups crack programs with pride.
Re: (Score:2)
I did semi-volunteer tech support for my university dorm floor. Every single instance of malware somebody came to me for help cleaning - and there was one at least once per month, on a floor of 70 guys - came from pirated software (typically Photoshop, not games, but sometimes games too). Some were from the outside Internet, some were from the DC++ system that everybody on campus seemed to be using, but they were pervasive.
One of the miggest examples of in-the-wild OS X malware was a trojan in pirate copies
Re: (Score:2)
The groups may up a clean crack but that doesn't mean every copy of that crack is clean. Anyone can modify it and re-up it.
Re: (Score:1)
Yeah, no way someone would put malicious code in Keygen or cracked executable.
Re: (Score:1)
I was being sarcastic. As far as I can see the only way keygen authors can make money is via malware.
Re: (Score:2)
Considering that URL handlers are executed by just about any browser on Windows and it's Safari and other Webkit-based ones that silently execute URL handlers instead of asking the user for confirmation - what's with the fixation on Firefox?
Re: (Score:2)
"Installations of Steam vulnerable to a drive by download by users of mozilla based browsers with certain games installed within steam"
Yeah, sure, whatever you say.
Browsers such as Internet Explorer, Chrome and Firefox display an alert when steam:// URLs are called; only Safari passes them on without any warning.
Re: (Score:1)
Yeah, I read it too fast, my mistake.
Re: (Score:2)
Re: (Score:3)
You have to give your main user account full permissions to the browser user account, so that you can copy files that the browser downloads etc.
Make sure firefox is installed using either the main or admin account, NOT the browser account. This prevents the browser account from doing too many changes to the executables. However this means you'll need to update the browse
Re: (Score:2)
I recommend that people run Firefox as a different user from the user account they use to log in.
Is there a reason that only Firefox users should do this? Based on the PDF, the only difference (in this case) is that some of the other browsers display the URL as well...
Re: (Score:2)
Chrome and IE do sandboxing, I don't know whether that's enough for exploits like this. In contrast if you run firefox as restricted User A, and it somehow can run stuff as User B the OS has a serious bug. There have been such bugs, but they are a lot rarer than bugs in browsers, pdf viewers, flash etc.
For banking stuff I run a different browser using yet another user account. So they can pwn my facebook
Re: (Score:2)
Chrome and IE do sandboxing, I don't know whether that's enough for exploits like this.
I don't think so, because it is not a browser exploit as such. They are just delivering the URI to Steam. I wonder if the restricted account has the protocol registered as well... Well, at least it wouldn't have Steam configured and logged in.
Re: (Score:2)
IE7+, when running in its sandbox ("Protected Mode"), will pop up a second warning message when clicking a link that invokes an external program. It doesn't really tell you anything that the first message didn't, except that the program will execute outside of the Protected Mode sandbox, but it's another chance to realize something is wrong and cancel it.
Re: (Score:1)
Or how about just run Firefox and Steam as a standard user? You shouldn't be running as an administrator anyway in this day and age and you are just asking for touble otherwise.
I do this by default on all my Windows 7 installation where I create a Super User account and then last create a regular user account for that person and explain to use that one by default and never user the other admin account unless you are installing a scanner or a new software package.
This wont fully protect you as a buffer overf
Re: (Score:2)
Whereas with my way, it is much harder for the malware to do that. It could perhaps set itself to run whenever the browser runs - plugin/extension, but it has no access to your main user account. It only has access to what you allow the browser account to access.
And who but you is even talking about running stuff as administrator? If you install stuff as admin, but run stuff as some other
How is this an exploit? (Score:2, Insightful)
Not sure what the real issue is...
Re:How is this an exploit? (Score:5, Informative)
I do not get how exactly this is an exploit. You need to create a batch file on the intended system start-up folder first. If you can do that. Why not just have the batch file execute a command to download a malicious file and execute it?
Because you have the wrong order. The exploit can be used to create the batch file, which is then auto-executed when windows next starts (autoexec.bat).
Re: (Score:2)
Write it to a Perl script then. You've got at least a 75% chance that the garbled crap ends up being valid executable code somewhere.
(Perl. The only language where YGT$#WQAYGTyAEHQY compiles).
It's real (read the PDF) (Score:2)
It's actually quite simple in this case, though: you can specify, on the command line, a log file (with full path and extension). Then, you can specify "echo" commands which will be written to the log file. These lines will appear at the top of the log, before any of the game's usual log spew. So yes, you can guarantee that the lines for "download this arbitrary executable and run it" appear at the top of the batch script.
If you want to, you can even then put an exit instruction in the script, so the user d
Re: (Score:2)
Agree, I can't see how this exploit would work without a previously compromised system. They are also relying on users to click on bad links to get the process started. How is this at all new?
Re:Why is this even on Slashdot (Score:5, Insightful)
Re: (Score:2)
Windows NT based systems have come with file permissions for a long time. Remove write permissions from the user and global startup folders. Yes, all write permissions, even for the user "System" (I hate anything that uses the startup folder anyway and wouldn't allow anything in there)
Or what about programs like that "Tea Timer" (Spybot Search and Destroy) or others that block things from getting in startup? (I always thought Tea Timer to be a silly nuisance, never to be activated, but here's an instance wh
Re: (Score:1)
Which is why the old adage DO NOT RUN AS ROOT is applicable.
When I install a fresh copy of Windows 7 I create the user name God or Super User and then after everything is patched and software is installed I add a second account with just standard/limited permissions.
Windows 8 goes a step further and limits your account to regular user by default. You get a UAC everytime if you want to change something. I should be fine iwth this since I only have read-only access to any settings as I only run as a standard
Re: (Score:2)
It's going to be hard for Valve to mitigate; most of the bugs found are in games that Valve doesn't develop, often even games that don't run Valve's game engine. Don't let the shit-heap of a summary fool you; there are ton of attacks you can do if you can pass artbitrary parameters to games. The whole "script in the startup folder" thing is *one* way that you could do this attack using *one* game engine (which happens to have been developed by Valve). The researchers list a bunch of other exploits too, rang
Re:Why is this even on Slashdot (Score:4, Informative)
The sentence is poorly phrased: what they mean is that they create the .bat file using some command line parameters (one of which dumps console output to the file of your choice, which could be "c:/autoexec.bat"). That then gets executed automatically on login, and boom, exploited.
The solution is pretty easy: make browsers that open external programs for a link show what they are doing and exactly what the command is, and/or have steam show the same when it loads the protocol command. Steam could also refuse to pass command line parameters, but that limits the usefulness of the protocol in the first place (might be necessary, unfortunately).
Re: (Score:2)
Because Little Johnny knows how to grok that shit, and wants to click something other than whatever button that means "GTFO, I just want you to do the thing I told you to do, you whiny bastard infernal machine!"
(Except, he doesn't.)
Re: (Score:3)
Except that here they're using the ability to pass command line options to source engine games started via the steam URL handler to create their log file in a certain location with a certain name (like "foo.bat" in the startup folder) then using the echo command via the same URL parameter to log anything they want into that file - and I'm pretty sure a batch file containing "del /s c:\" in there won't be very much appreciated the next time the user logs on...
URL handlers (Score:4, Insightful)
Oh look, yet another vulnerability caused by allowing web pages to start random applications on your system.
Who ever thought that was a good idea?
Dont have to "establish" a list - try them all (Score:2)
Try all the popular games, you're likely to get 1 hit - and that's all you need.
Re: (Score:2)
Yeah, and when I get thousands of popups to execute steam links, I will just close the tab and send a report to google that it is an attack site...
Crazy (Score:3)
Uh, call me crazy, but I just checked the manager in firefox and steam links are set to 'ask first'. I tested, got a popup asking me if I want to run the link with application 'Steam'... unless it was something I wanted, I would generally click 'no'.
Not a very good exploit, imho.
Turn valve 90 degrees to shut-off position. (Score:3)
Simples as that.
con_logfile fixed? (Score:2)
Valve just pushed out an update for Half-Life 2: Deathmatch, Day of Defeat: Source, and Team Fortress 2 that is supposed to fix the con_logfile bug in those games.
Unfortunately, their other multiplayer games remain unpatched, most notably Counter-Strike: Source and Counter-Strike: Global Offensive.
Re: (Score:2)
Re: (Score:2)
Steam URLs don't contain hostnames, because they run things on your PC. The only funny thing would be how dumb a person that tries it is.
Re: (Score:1)