Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Researcher Publishes Second Steam Zero Day After Getting Banned on Valve's Bug Bounty Program (zdnet.com) 64

A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks. From a report: However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn't do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform. The entire chain of events behind the public disclosure of these two zero-days has caused quite a drama and discussions in the infosec community. All the negative comments have been aimed at Valve and the HackerOne staff, with both being accused of unprofessional behavior. Security researchers and regular Steam users alike are mad because Valve refused to acknowledge the reported issue as a security flaw, and declined to patch it.
This discussion has been archived. No new comments can be posted.

Researcher Publishes Second Steam Zero Day After Getting Banned on Valve's Bug Bounty Program

Comments Filter:
  • Frosty Piss in Gaben's face.
  • by sinij ( 911942 ) on Wednesday August 21, 2019 @02:45PM (#59110282)
    What were they thinking?! Valve deserves all the bad publicity they got.
    • by sd4f ( 1891894 )

      The problem is there's this cultish reality distortion field associated with valve and gaben, so a few places will completely ignore or even worse, counter justifiable criticism, because as long as they think they're still getting cheap games, then really couldn't care less.

      • by waspleg ( 316038 )

        I actually read through his first assertion when it was posted to hacker news last week (maybe the week before I forget). It seemed to boil down to you would need a malicious developer who sold something on Steam to exploit it because Steam would give it admin rights and seemed to assume that Valve doesn't scan the binaries it pushes on people for malware and he was basically ignored and got angry.

        Valve has a lot of good will because it's easy to get refunds and they're actively developing Linux as a gamin

        • No that's not right. Any user program or user on the computer can cause stream to run a program of there choice with elevated privileges.
        • by Tom ( 822 )

          It seemed to boil down to you would need a malicious developer who sold something on Steam to exploit it

          which anyone can become within a few minutes for $99 (if that's still the price).

        • by dissy ( 172727 )

          I actually read through his first assertion when it was posted to hacker news last week (maybe the week before I forget). It seemed to boil down to you would need a malicious developer who sold something on Steam to exploit it

          No, you just need user access to the windows computer with steam installed.
          Beyond steam client being on the computer, you don't need any other involvement like being a user of steam or anything.

          The problem was that steam installs a service that runs as admin, and changes the permissions on the registry key for starting that service, so the group "Users" has "Full Control"

          You can plop an executable anywhere on the computer you have write perms to, like your user directory, and change that registry key to poi

      • Comment removed (Score:5, Interesting)

        by account_deleted ( 4530225 ) on Wednesday August 21, 2019 @05:51PM (#59110756)
        Comment removed based on user account deletion
        • by Calydor ( 739835 ) on Thursday August 22, 2019 @12:59AM (#59111482)

          So many times this. From a security standpoint Steam has been the lesser of evils for years. For those who don't remember, legitimate customers would go and download pirated game cracks in order to make their legally purchased games run. The late 90s and the early to mid 2000s was the age when the pirates in all respects provided a superior product because the legal product was so shit.

          • For those who don't remember, legitimate customers would go and download pirated game cracks in order to make their legally purchased games run.

            Been indeed my standard procedure back in the days:
            - buy the game
            - don't bother with the provided game executable
            - fetch the de-DRMed "NoCD" crack from astalavista.box.sk
            - enjoy DRM-free play

            As I wasn't that much into the "latest game, at launch day!", by the time I installed and patched, the Anti-virus would have been updated to alert me if there was a trojan inside the crack.

        • by sd4f ( 1891894 )

          I don't disagree, but in the last few years, steam has become more of a platform for getting kids into gambling.

          Something wrong is going on at valve, there have been a few leaks of sorts and heavy criticism of it being a rather toxic work environment. With these sorts of attitudes, particularly booting someone after they found a vulnerability, even if it wasn't as per their requirements, then you still think the appropriate action would be to thank them and work on a fix rather than hope it will be swept un

          • on the other hand, unlike most of their competitors (Epic Games Store, EA Origin, etc.) they put a decent effort on Linux, even having developers contributing to wine (see Proton)

            • by sd4f ( 1891894 )

              The purpose of it was that valve wanted to hedge their bets against microsoft. Fact of the matter is, I'm not sure how using their tools works, but I wouldn't be surprised that eventually, using them would require games to be on steam.

              In spite of the rhetoric about valve being altruistic with regards to windows, back when windows 8 was a thing, the fact is they appear to be copying google's playbook, and I think the end goal is that if you want to use valve's tools, any software will have to be distributed

              • I've always looked at Valve's Linux efforts with a bit of skepticism, but as a for-profit motive. I have a few games I bought when I had Windows installed on a machine, but for the most part, my library is Linux games (if I can't find them on GOG.com) Funny bit is, GOG is easier to let me (without running "beta" software) run my Windows games (which coincidentally aren't cutting edge because I'm an old fart) through WINE with little or no trouble. Sometimes it takes a bit of tweaking... but that's part of

                • by sd4f ( 1891894 )

                  I listened to an interview with Bill Gates, where he spoke about their mobile failure (he feels his biggest failure); platforms are winner takes all. We're seeing practically the same anti-trust things repeat itself with owners of new platforms, although the mobile market is somewhat more bifurcated, particularly in developed english speaking countries, overall we see that once a company dominates a platform, it just becomes the standard for them to engage in anti-trust like behaviour.

                  How this relates to va

        • by sinij ( 911942 )
          The above is a false choice - I will take third option, pay for a game that doesn't have DRM or requires me to use online distribution platform like Steam, Origin, UPlay or Epic. There is absolutely no reason why a single player game should require any kind of network connectivity. It should work on a desert island.
        • GOG Galaxy has been out for over a year. They're just in the midst of a redesign. The old version still works fine though and even has a few Steam features like achievement support, etc, all of which I believe you can disable if you don't like them. I've been using it since the beta and it works just fine, though I do see the reason for a redesign (it feels a bit... cheap, I guess).
    • Really? Valve fixed the first one within 25 days of being notified by HackerOne by the second researcher he contacted, which was within 51 days of his first notification. The asshole at the center of this is a whiny little bitch who released the first exploit because, and I fucking quote directly, "You didn’t respect my work, and that's the reason why I won’t respect yours". The pathetic little shitstain's self importance makes Boris Grishenko look like a humble wage slave at Microsoft in compar

      • by twocows ( 1216842 ) on Thursday August 22, 2019 @10:05AM (#59112456)
        If they fixed the bug and refused to pay out the bounty, that's almost worse; they're essentially stealing his work at that point. Moreover, they're undermining trust in their program to begin with. Bug bounty programs rely a lot on good will because it's always more profitable to sell the exploit on the black market (zero days are worth a lot of money; LPEs aren't worth as much but they're by no means cheap).

        From what I understand of the situation, Valve (by way of whatever company handles their bug bounty program) rejected the bug for being out of scope (it wasn't, unless a defective power supply frying your motherboard is a problem with the motherboard and not the power supply), then overturned that rejection, then overturned that and rejected it again (for being out of scope). The bug was sent on to Valve after the first rejection was overturned and they fixed it at that point, but then since that was overturned again, the bounty program refused to pay out.

        The right thing to do here is obvious. If Valve used the information he provided to fix a bug, then they should pay him for providing that information. Moreover, Valve shouldn't reject LPEs caused by their software as out of scope because that's utterly stupid.
  • Ha! Own it. (Score:5, Insightful)

    by Gravis Zero ( 934156 ) on Wednesday August 21, 2019 @02:48PM (#59110294)

    Never blame the bug hunter. The bug hunter is under no obligation to "act professionally" just because your company sucks at it's job. They could have sold and exploited the bug for profit but instead they are doing what was supposed to be your company's job.

    Valve is at fault here for banning them and has no room to complain for getting bit when they did Valve's job for them.

    • Re:Ha! Own it. (Score:5, Insightful)

      by geekmux ( 1040042 ) on Wednesday August 21, 2019 @03:08PM (#59110364)

      Never blame the bug hunter. The bug hunter is under no obligation to "act professionally" just because your company sucks at it's job. They could have sold and exploited the bug for profit but instead they are doing what was supposed to be your company's job.

      Valve is at fault here for banning them and has no room to complain for getting bit when they did Valve's job for them.

      More to the point Valve really needs to grasp the fact that those who actually use their bug bounty program ARE acting professionally.

      If they were acting unprofessionally, then Valve would have learned about multiple zero-day attacks the hard way.

    • Every bug reporter should open up roughly as follows:

      Well, don't want to sound like a dick or nothin', but, ah... it says on your chart that you're fucked up. Ah, you talk like a fag, and your shit's all retarded.

    • Never blame the bug hunter. The bug hunter is under no obligation to "act professionally"

      On the other hand, what separates a "professional" bug hunter from just a nefarious hacker is only the professionalism.
      Find bug:
      Report to vendor through responsible disclosure and get bounty = professional.
      Report as zero day online with complete disregard = disgruntled vandalism.
      Report to whoever you want in exchange for bitcoin = federal prison.

  • ... the client itself isn't running with any special privileges?

    That sounds more like an operating system exploit than a steam exploit.

    • The service is running with SYSTEM privileges.

      That said, the escalation exploit is kinda moot - if you're running arbitrary code on a machine, you've already won.

      • if a web browser hole is discovered then exploited, then privilege escalation exploits would be darn useful to the bad guys.
      • by mark-t ( 151149 )

        The service is running with SYSTEM privileges.

        Why?

        Honest question. Why does it need system privileges?

        • by Tom ( 822 )

          Honest question. Why does it need system privileges?

          My guess would be: For the DRM.

        • Until about 2013, all Windows services ran as SYSTEM. Then the "Local Service" account was introduced. But many apps still run as SYSTEM. So I don't know if this is legacy or there is a good reason. Many Steam games include "anti-cheat" mechanisms that need insane privileges. Probably not good to run Steam on a machine that also contains sensitive data.
          • Also many legacy games, especially around the DX8 era, need to be run with elevated privileges because they play fast and loose with the file system.
  • by Anonymous Coward

    I have seen this, many times over. Someone turns in a bug, they get fired, treatened with criminal/civil action, or otherwise retaliated against.

    Want to know how to get a major bug fixed? Create a fake social media account, DM or @the company, and the C-levels of the company clients, and its PR people. (DM them only, not public), post screenshots of the exploit and how it is done. When clients start seeing that, that actually affects a company's future profits, and when the ka-ching sound is at stake, b

  • it's a feature!
  • by Luthair ( 847766 ) on Wednesday August 21, 2019 @03:14PM (#59110386)
    That part seems like editorializing to me, I doubt many people who aren't in the security community have even heard of the problem.
  • by mysidia ( 191772 ) on Wednesday August 21, 2019 @03:35PM (#59110434)

    Don't blame the researchers when they try and report bugs they found doing your work -- in order to collect bounty.

    Unless they have ALREADY tried to collect bounty on an exploit they ALREADY
    disclosed or sold, or an actually fake issue: then "banning" them from the program basically just means
    your program was fake in the first place -- they are deserving payout, and you're stingy, and want to try and restrict and not honor your bounties to researchers who are doing a service to you.

    If they then respond to not getting paid AND getting banned, and they then publicly release their exploit you know about
    PLUS some other ones they hadn't reported yet, then thats just your comeuppance for running a fake bounty program.

    In fact... that switching to full disclose everything is a PROFESSIONAL response -- "Limited disclosure" after alerting the vendor and witholding the exploit until after its patched is an optional courtesy, often only secured by offering and timely paying bounty to researchers who report the issues, not a right or reasonable expectation. A less professional response would be for them to Sell their exploits and research findings off to your competitors Or more shady operations who may be interested in utilizing some of the exploits for their own advantage against the software maker or their customers, for top dollar.

  • (I'm pretty sure these are the same security flaws are being used to spy on me illegally. I'm pretty sure there are similar holes in some Blizzard products too that just haven't been found yet.)

  • Local root exploits are so numerous spending time addressing them is bad for security ... you could use that time to do something which isn't entirely useless.

    • by Anonymous Coward

      In the case of Steam's windows service still running with the SYSTEM account - anything that can write files to your local file system can suddenly own it. i.e.: any web page that escapes browser sandboxing, any Office document that can sneak VBA script through, any PDF document that can sneak Javascript through. The list is virtually endless.

      Far better to fix the known LPE issues than try to discover and fix all the back doors into your system that can take advantage of them.

    • I wouldn't totally ignore or dismiss all LPE issues, however they are definitely low priority. LPE usually requires something to have already gotten into the system. Some LPE issues can be tough, impractical or even impossible to fix.

      I'd say you're under-reacting, though there is a serious problem with over-reacting as well which I see here. The person in their report of the issue clearly demonstrates anger at steam, a portion of which might be justified but the rest seems to be hot headed bluster.

      We'
      • Some more...

        There's two escalation exploits happening here...

        > Valve gets heavily criticized for mishandling a crucial bug report.

        Here the bug report is severity escalated by a journalist. It's not "crucial". Crucial would be that you can log into anyone's account without knowing their password.
  • To me the first bug seemed to be an OS exploit more than a Steam exploit. However he used a Steam service in his proof of concept. I feel like there are other applications that can be used in the same way. Perhaps that's why they didn't take it? Maybe not, as their justification for rejecting it was more along the lines of disregarding the bug outright than any improper reporting.

    Haven't had a chance to look over the second one yet. I will when I get some time. Early conference calls suck.

    • Here are the exact details [amonitoring.ru]

      From my understanding:
      1. Steam installs the Steam Client Services (SCS) service, which can be started by standard user accounts
      2. SCS sets standard user "full control" permissions on all subkeys of HKLM\SOFTWARE\Wow6432Node\Valve\Steam
      3. Registry keys can be softlinked, so you can make a key at HLKM\SOFTWARE\example1 reference for example HLKM\SYSTEM\SERVICES\important-system-service
      4. When assigning security permissions on subkeys of the \Steam key mentioned above, SCS follows softli
      • One of Steam's features is seamless installs and updates to games without requiring user interaction. That's probably why, it allows them to do something that in modern windows would normally invoke a UAC prompt or two. Their decision to do so shows messed up priorities at Valve but ultimately its on Microsoft that the OS even allows them to do this.

  • Say it ain't so!

    /sarcasm
  • I don't understand why anyone lets Steam run that creepy background service at all. There's no reason my game webstore/launcher needs to have System-level service access to my PC. Ever.

    I could never justify this, and for years have disabled and not run the service. I still get the "Steam Background Service isn't installed, should we install it now?" every time I open Steam, but clicking 'Cancel' has no ill effect on how the platform or any of the games work, and seems entirely unnecessary.

There is no royal road to geometry. -- Euclid

Working...