Severe local 0-Day escalation exploit found in Steam Client Services

by
Jim Salter
from Ars Technica - All content on (#4MV0N)
steam-exploit-bugs-800x450.jpg

Enlarge / Breaking bugs are as described-a security flaw in Steam's client service allows easy execution of arbitrary code as LOCALSYSTEM. (credit: Aurich Lawson / Getty Images)

Earlier today, disgruntled security researcher Vasily Kravets released a zero-day vulnerability in the Windows version of the ubiquitous gaming service Steam. The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.

The vulnerability lies within Steam Client Service. The service may be started or stopped by unprivileged users. This becomes a problem because, when run,Steam Client Service automatically sets permissions on a range of registry keys. If a mischievous-or outright malicious-user were to symlink one of these keys to that belonging to another service, it becomes possible for arbitrary users to start or stop that service as well. This becomes even more problematic when you realize that it's possible to pass arguments to services that run under extremely privileged accounts-such as msiserver, the Windows Installer service.

steam-zero-day-POC-marked-up-640x480.png

Following a demonstration I saw from Redditor /u/R_Sholes today, I used an unprivileged user account to write a file to C:\Windows\System32 as LOCALSYSTEM. That's game over, for those of you playing along from home. (credit: Jim Salter)

The image walkthrough above follows a few simple steps:

Read 9 remaining paragraphs | Comments

index?i=ZD5dt_zyka4:5gROdualFtI:V_sGLiPB index?i=ZD5dt_zyka4:5gROdualFtI:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments