← Advisories

Valve Steam Client Application v1559/1559 Local Privilege Escalation

Medium
Advisory ID
ZSL-2011-5022
Release Date
29 June 2011
Vendor
Valve Corporation - http://www.steampowered.com
Affected Version
Built: Jun 1, 2011 at 15:31:24, Steam API: v010, Steam package versions 1559 / 1559, File version: 1.0.968.628
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN)
Summary

Steam is a digital distribution, digital rights management, multiplayer and communications platform developed by Valve Corporation. It is used to distribute games and related media online, from small independent developers to larger software houses. Steam also has community features, automated game updates, and in-game voice and chat functionality.

Description

Steam is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the "F" flag (Full Control) for the "Users" group, for the binary file Steam.exe, GameOverlayUI.exe and steamerrorreporter.exe. The binary (Steam.exe) is set by default to Startup with "-silent" parameter.

Proof of Concept
steam_privesc.txtTXT
Disclosure Timeline
24.06.2011Vulnerability discovered.
25.06.2011Initial contact with the vendor.
25.06.2011Auto-reply from the vendor stating that the message is received.
28.06.2011No reply from the vendor.
29.06.2011Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.exploit-db.com/exploits/17459/
[2]http://packetstormsecurity.org/files/102666
[3]http://securityreason.com/exploitalert/10548
[4]http://www.securityfocus.com/bid/48504
[5]http://xforce.iss.net/xforce/xfdb/68333
[6]http://www.vfocus.net/art/20110630/9171.html
Changelog
29.06.2011Initial release
30.06.2011Added reference [1], [2] and [3]
01.07.2011Added reference [4] and [5]
02.07.2011Added reference [6]