“I want to publicly disclose the vulnerability. I hope this will bring Steam developers to make some security improvements.”
The Valve Corporation, which runs Steam an online PC video game distribution platform, has made changes to the way it will interact with bug bounty hunters in the future following a number of public fallouts.
The changes come after security researcher Vasily Kravets released a proof of concept that showed a vulnerability within the Steam client for Windows that allowed privilege escalation.
Originally Valve refused to acknowledge the vulnerability stating that it was not an issue and did not need a patch. However, once security researchers proved it worked Valve were forced to patch the issue.
Now the firm has made changes to the way operates its HackerOne bug bounty program.
In a statement first sent to Ars Technica Valve commented that:
“We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.”
“Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.”
“We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported. In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program.”
First Rumblings in Valve’s HackerOne Bug Bounty Program
At the start of this month we reported how Vasily Kravets (aka Felix/PsiDragon) identified the privilege escalation vulnerability within the platform Steam.A privilege escalation vulnerability is a flaw in a system that allows a hacker to execute a command with administrative level privileges.
In a disclosure post Kravets notes that the vulnerability is ‘simple,’ Steam installs a ‘Steam client server’ which is used to download and install games to a user’s computer, this client has SYSTEM privileges on Windows systems.
Upon inspection Kravets noted that the service could be started and stopped by the ‘User’ or essentially anyone logged into the computer. He discovered that if you started and stopped the client it created a full write access to subkeys under the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key.
Kravets learned that any Registry Key could be modified using a symlink from a different subkey. As he wrote in his disclosure: “So, now we have a primitive to take control on almost every key in the registry, and it is easy to convert it into a complete EoP (Escalation of Privileges).
“I choose key HKLM\SYSTEM\ControlSet001\Services\msiserver that corresponds with the service “Windows Installer”, which can be started by any user, same as Steam’s service, but run program as NT AUTHORITY\SYSTEM.”
“After taking control, it is only necessary to change ImagePath value of the HKLM\SYSTEM\ControlSet001\Services\msiserver key and start “Windows Installer” service. The program from ImagePath will be started as NT AUTHORITY\SYSTEM.”
“Put all things together and we get exploit that allows running any program with the highest possible rights on any Windows computer with Steam installed.”Working off the first researcher’s work, privilege escalation expert Matt Nelson created a proof-of-concept that showed how the flaw could be used to change the executable of the service as it launched when it was restarted.
The privilege escalation researcher Felix reported the vulnerability to Valve via HackerOne. He says HackerOne reviewed and confirmed the flaw and reported that they sent the vulnerability to Valve. Felix commented in his post that: “45 days have gone since the initial report, so I want to publicly disclose the vulnerability. I hope this will bring Steam developers to make some security improvements.”