Researcher Publishes Second Steam Zero Day After Getting Banned on Valve's Bug Bounty Program

A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks. From a report: However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn't do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform. The entire chain of events behind the public disclosure of these two zero-days has caused quite a drama and discussions in the infosec community. All the negative comments have been aimed at Valve and the HackerOne staff, with both being accused of unprofessional behavior. Security researchers and regular Steam users alike are mad because Valve refused to acknowledge the reported issue as a security flaw, and declined to patch it.

Posty Frist

[Killall -9 Bash]

Frosty Piss in Gaben's face.

Re:

[Killall -9 Bash]

It's not a troll, it's a fucking tradition, you godless philistines!!!1

Re: Posty Frist

[OrangeTide]

Savor the negative karma, wear your moderation like a badge of honor.

Alternatively you could improve your signal to noise ratio.

Re:

[Highdude702]

Yea, he should have known better than to wrong think on slashdot.

Re:

[weilawei]

+1, Funny. I agree, but I also know that it comes with the karma hit, so you have to be extra good the rest of the week or mod santa won't come.

Valve deserves all the bad publicity

[sinij]

What were they thinking?! Valve deserves all the bad publicity they got.

Re:

[sd4f]

The problem is there's this cultish reality distortion field associated with valve and gaben, so a few places will completely ignore or even worse, counter justifiable criticism, because as long as they think they're still getting cheap games, then really couldn't care less.

Re:

[waspleg]

I actually read through his first assertion when it was posted to hacker news last week (maybe the week before I forget). It seemed to boil down to you would need a malicious developer who sold something on Steam to exploit it because Steam would give it admin rights and seemed to assume that Valve doesn't scan the binaries it pushes on people for malware and he was basically ignored and got angry.

Valve has a lot of good will because it's easy to get refunds and they're actively developing Linux as a gamin

Re: Valve deserves all the bad publicity

[sectokia]

No that's not right. Any user program or user on the computer can cause stream to run a program of there choice with elevated privileges.

Re:

[Tom]

It seemed to boil down to you would need a malicious developer who sold something on Steam to exploit it

which anyone can become within a few minutes for $99 (if that's still the price).

Re:

[dissy]

I actually read through his first assertion when it was posted to hacker news last week (maybe the week before I forget). It seemed to boil down to you would need a malicious developer who sold something on Steam to exploit it

No, you just need user access to the windows computer with steam installed.
Beyond steam client being on the computer, you don't need any other involvement like being a user of steam or anything.

The problem was that steam installs a service that runs as admin, and changes the permissions on the registry key for starting that service, so the group "Users" has "Full Control"

You can plop an executable anywhere on the computer you have write perms to, like your user directory, and change that registry key to poi

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Valve deserves all the bad publicity

[Calydor]

So many times this. From a security standpoint Steam has been the lesser of evils for years. For those who don't remember, legitimate customers would go and download pirated game cracks in order to make their legally purchased games run. The late 90s and the early to mid 2000s was the age when the pirates in all respects provided a superior product because the legal product was so shit.

Crack your own legitimate game

[DrYak]

For those who don't remember, legitimate customers would go and download pirated game cracks in order to make their legally purchased games run.

Been indeed my standard procedure back in the days:
- buy the game
- don't bother with the provided game executable
- fetch the de-DRMed "NoCD" crack from astalavista.box.sk
- enjoy DRM-free play

As I wasn't that much into the "latest game, at launch day!", by the time I installed and patched, the Anti-virus would have been updated to alert me if there was a trojan inside the crack.

Re:

[sd4f]

I don't disagree, but in the last few years, steam has become more of a platform for getting kids into gambling.

Something wrong is going on at valve, there have been a few leaks of sorts and heavy criticism of it being a rather toxic work environment. With these sorts of attitudes, particularly booting someone after they found a vulnerability, even if it wasn't as per their requirements, then you still think the appropriate action would be to thank them and work on a fix rather than hope it will be swept un

Linux effort

[DrYak]

on the other hand, unlike most of their competitors (Epic Games Store, EA Origin, etc.) they put a decent effort on Linux, even having developers contributing to wine (see Proton)

Re:

[sd4f]

The purpose of it was that valve wanted to hedge their bets against microsoft. Fact of the matter is, I'm not sure how using their tools works, but I wouldn't be surprised that eventually, using them would require games to be on steam.

In spite of the rhetoric about valve being altruistic with regards to windows, back when windows 8 was a thing, the fact is they appear to be copying google's playbook, and I think the end goal is that if you want to use valve's tools, any software will have to be distributed

Re:

[Doctor_Jest]

I've always looked at Valve's Linux efforts with a bit of skepticism, but as a for-profit motive. I have a few games I bought when I had Windows installed on a machine, but for the most part, my library is Linux games (if I can't find them on GOG.com) Funny bit is, GOG is easier to let me (without running "beta" software) run my Windows games (which coincidentally aren't cutting edge because I'm an old fart) through WINE with little or no trouble. Sometimes it takes a bit of tweaking... but that's part of

Re:

[sd4f]

I listened to an interview with Bill Gates, where he spoke about their mobile failure (he feels his biggest failure); platforms are winner takes all. We're seeing practically the same anti-trust things repeat itself with owners of new platforms, although the mobile market is somewhat more bifurcated, particularly in developed english speaking countries, overall we see that once a company dominates a platform, it just becomes the standard for them to engage in anti-trust like behaviour.

How this relates to va

Re:

[sinij]

The above is a false choice - I will take third option, pay for a game that doesn't have DRM or requires me to use online distribution platform like Steam, Origin, UPlay or Epic. There is absolutely no reason why a single player game should require any kind of network connectivity. It should work on a desert island.

Re:

[twocows]

GOG Galaxy has been out for over a year. They're just in the midst of a redesign. The old version still works fine though and even has a few Steam features like achievement support, etc, all of which I believe you can disable if you don't like them. I've been using it since the beta and it works just fine, though I do see the reason for a redesign (it feels a bit... cheap, I guess).

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[raremediumwelldone]

I made it into the GOG Galaxy 2.0 beta and it works really well.

https://www.gogalaxy.com/en/ [gogalaxy.com]

Currently the only thing not working is Xbox Live integration.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ravenshrike]

Really? Valve fixed the first one within 25 days of being notified by HackerOne by the second researcher he contacted, which was within 51 days of his first notification. The asshole at the center of this is a whiny little bitch who released the first exploit because, and I fucking quote directly, "You didn’t respect my work, and that's the reason why I won’t respect yours". The pathetic little shitstain's self importance makes Boris Grishenko look like a humble wage slave at Microsoft in compar

Re:Valve deserves all the bad publicity

[twocows]

If they fixed the bug and refused to pay out the bounty, that's almost worse; they're essentially stealing his work at that point. Moreover, they're undermining trust in their program to begin with. Bug bounty programs rely a lot on good will because it's always more profitable to sell the exploit on the black market (zero days are worth a lot of money; LPEs aren't worth as much but they're by no means cheap).

From what I understand of the situation, Valve (by way of whatever company handles their bug bounty program) rejected the bug for being out of scope (it wasn't, unless a defective power supply frying your motherboard is a problem with the motherboard and not the power supply), then overturned that rejection, then overturned that and rejected it again (for being out of scope). The bug was sent on to Valve after the first rejection was overturned and they fixed it at that point, but then since that was overturned again, the bounty program refused to pay out.

The right thing to do here is obvious. If Valve used the information he provided to fix a bug, then they should pay him for providing that information. Moreover, Valve shouldn't reject LPEs caused by their software as out of scope because that's utterly stupid.

Ha! Own it.

[Gravis Zero]

Never blame the bug hunter. The bug hunter is under no obligation to "act professionally" just because your company sucks at it's job. They could have sold and exploited the bug for profit but instead they are doing what was supposed to be your company's job.

Valve is at fault here for banning them and has no room to complain for getting bit when they did Valve's job for them.

Re:Ha! Own it.

[geekmux]

Never blame the bug hunter. The bug hunter is under no obligation to "act professionally" just because your company sucks at it's job. They could have sold and exploited the bug for profit but instead they are doing what was supposed to be your company's job.

Valve is at fault here for banning them and has no room to complain for getting bit when they did Valve's job for them.

More to the point Valve really needs to grasp the fact that those who actually use their bug bounty program ARE acting professionally.

If they were acting unprofessionally, then Valve would have learned about multiple zero-day attacks the hard way.

Re: Ha! Own it.

[OrangeTide]

Every bug reporter should open up roughly as follows:

Well, don't want to sound like a dick or nothin', but, ah... it says on your chart that you're fucked up. Ah, you talk like a fag, and your shit's all retarded.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thegarbz]

Never blame the bug hunter. The bug hunter is under no obligation to "act professionally"

On the other hand, what separates a "professional" bug hunter from just a nefarious hacker is only the professionalism.
Find bug:
Report to vendor through responsible disclosure and get bounty = professional.
Report as zero day online with complete disregard = disgruntled vandalism.
Report to whoever you want in exchange for bitcoin = federal prison.

How does it elevate privileges if....

[mark-t]

... the client itself isn't running with any special privileges?

That sounds more like an operating system exploit than a steam exploit.

Re: How does it elevate privileges if....

[willaien]

The service is running with SYSTEM privileges.

That said, the escalation exploit is kinda moot - if you're running arbitrary code on a machine, you've already won.

Re:

[randoflex]

if a web browser hole is discovered then exploited, then privilege escalation exploits would be darn useful to the bad guys.

Re:

[Pinky's Brain]

Good thing there is a never ending supply of them.

Re:

[mark-t]

The service is running with SYSTEM privileges.

Why?

Honest question. Why does it need system privileges?

Re:

[Tom]

Honest question. Why does it need system privileges?

My guess would be: For the DRM.

Re:

[Ed Tice]

Until about 2013, all Windows services ran as SYSTEM. Then the "Local Service" account was introduced. But many apps still run as SYSTEM. So I don't know if this is legacy or there is a good reason. Many Steam games include "anti-cheat" mechanisms that need insane privileges. Probably not good to run Steam on a machine that also contains sensitive data.

Re:

[Rockoon]

Also many legacy games, especially around the DX8 era, need to be run with elevated privileges because they play fast and loose with the file system.

Fear of reprisal just means nastiness later

[Anonymous Coward]

I have seen this, many times over. Someone turns in a bug, they get fired, treatened with criminal/civil action, or otherwise retaliated against.

Want to know how to get a major bug fixed? Create a fake social media account, DM or @the company, and the C-levels of the company clients, and its PR people. (DM them only, not public), post screenshots of the exploit and how it is done. When clients start seeing that, that actually affects a company's future profits, and when the ka-ching sound is at stake, b

Re:

[UnknownSoldier]

> Someone turns in a bug, they get fired, treatened with criminal/civil action, or otherwise retaliated against.

Yeah, this "Shoot the messenger, ignore the message" is extremely short sighted and counter-productive. You want to make it EASIER for people to file bugs, not harder! The known bugs AREN'T the problem -- it is all the ones you don't yet know about that are!

Re: Fear of reprisal just means nastiness later

[SpaceLifeForm]

No good deed goes unpunished.

Re:

[bill_mcgonigle]

> I needed to buy some Bitcoin. Every single centralized exchange

Well, thar's 'yer problem. Try:

https://local.bitcoin.com/ [bitcoin.com]

It's not a bug...

[nomorecwrd]

it's a feature!

Steam Users?

[Luthair]

That part seems like editorializing to me, I doubt many people who aren't in the security community have even heard of the problem.

Fake bounty program

[mysidia]

Don't blame the researchers when they try and report bugs they found doing your work -- in order to collect bounty.

Unless they have ALREADY tried to collect bounty on an exploit they ALREADY
disclosed or sold, or an actually fake issue: then "banning" them from the program basically just means
your program was fake in the first place -- they are deserving payout, and you're stingy, and want to try and restrict and not honor your bounties to researchers who are doing a service to you.

If they then respond to not getting paid AND getting banned, and they then publicly release their exploit you know about
PLUS some other ones they hadn't reported yet, then thats just your comeuppance for running a fake bounty program.

In fact... that switching to full disclose everything is a PROFESSIONAL response -- "Limited disclosure" after alerting the vendor and witholding the exploit until after its patched is an optional courtesy, often only secured by offering and timely paying bounty to researchers who report the issues, not a right or reasonable expectation. A less professional response would be for them to Sell their exploits and research findings off to your competitors Or more shady operations who may be interested in utilizing some of the exploits for their own advantage against the software maker or their customers, for top dollar.

ALERT TO FBI: PLEASE PAY ATTENTION TO THIS STORY.

[Narcocide]

(I'm pretty sure these are the same security flaws are being used to spy on me illegally. I'm pretty sure there are similar holes in some Blizzard products too that just haven't been found yet.)

Re:

[Narcocide]

(Obviously I'm assuming they're spying on me already. I'm just trying to direct the spotlight to the real criminals.)

Re:

[Narcocide]

(By the way, you're doing a great job helping direct the spotlight to yourself, so thank you for that.)

Local privilege escalation, who the fuck cares?

[Pinky's Brain]

Local root exploits are so numerous spending time addressing them is bad for security ... you could use that time to do something which isn't entirely useless.

Re:

[Anonymous Coward]

In the case of Steam's windows service still running with the SYSTEM account - anything that can write files to your local file system can suddenly own it. i.e.: any web page that escapes browser sandboxing, any Office document that can sneak VBA script through, any PDF document that can sneak Javascript through. The list is virtually endless.

Far better to fix the known LPE issues than try to discover and fix all the back doors into your system that can take advantage of them.

Re:

[JoeyDot]

I wouldn't totally ignore or dismiss all LPE issues, however they are definitely low priority. LPE usually requires something to have already gotten into the system. Some LPE issues can be tough, impractical or even impossible to fix.

I'd say you're under-reacting, though there is a serious problem with over-reacting as well which I see here. The person in their report of the issue clearly demonstrates anger at steam, a portion of which might be justified but the rest seems to be hot headed bluster.

We'

Re:

[JoeyDot]

Some more...

There's two escalation exploits happening here...

> Valve gets heavily criticized for mishandling a crucial bug report.

Here the bug report is severity escalated by a journalist. It's not "crucial". Crucial would be that you can log into anyone's account without knowing their password.

I think it was misfiled

[thereddaikon]

To me the first bug seemed to be an OS exploit more than a Steam exploit. However he used a Steam service in his proof of concept. I feel like there are other applications that can be used in the same way. Perhaps that's why they didn't take it? Maybe not, as their justification for rejecting it was more along the lines of disregarding the bug outright than any improper reporting.

Haven't had a chance to look over the second one yet. I will when I get some time. Early conference calls suck.

Re:

[twocows]

Here are the exact details [amonitoring.ru]

From my understanding:

1. Steam installs the Steam Client Services (SCS) service, which can be started by standard user accounts
2. SCS sets standard user "full control" permissions on all subkeys of HKLM\SOFTWARE\Wow6432Node\Valve\Steam
3. Registry keys can be softlinked, so you can make a key at HLKM\SOFTWARE\example1 reference for example HLKM\SYSTEM\SERVICES\important-system-service
4. When assigning security permissions on subkeys of the \Steam key mentioned above, SCS follows softli

Re:

[thereddaikon]

One of Steam's features is seamless installs and updates to games without requiring user interaction. That's probably why, it allows them to do something that in modern windows would normally invoke a UAC prompt or two. Their decision to do so shows messed up priorities at Valve but ultimately its on Microsoft that the OS even allows them to do this.

Valve doesn't care about it's users?

[McFortner]

Say it ain't so!

/sarcasm

Shady Background Service

[dead_p1xl]

I don't understand why anyone lets Steam run that creepy background service at all. There's no reason my game webstore/launcher needs to have System-level service access to my PC. Ever.

I could never justify this, and for years have disabled and not run the service. I still get the "Steam Background Service isn't installed, should we install it now?" every time I open Steam, but clicking 'Cancel' has no ill effect on how the platform or any of the games work, and seems entirely unnecessary.