Researcher discloses second Steam zero-day exploit after being shut out of bug bounty program (Update: fixed in beta channel)

Researcher discloses second Steam zero-day exploit after being shut out of bug bounty program (Update: ...
Credit: Valve

Update on Aug. 23, 9:15 AM IST: Valve has now officially issued fixes for the privilege escalation vulnerabilities discovered in its Steam client on the beta channel. The company acknowledged that it was a mistake, and revised its rules to explicitly state that these issues are in scope and should be reported.

The development comes as security researcher Vasily Kravets disclosed a second zero-day vulnerability on August 20 after being shut out of HackerOne bug bounty program. The original story follows.


A second zero-day vulnerability has been publicly disclosed in the Steam gaming client by security researcher Vasily Kravets after he said he was banned from its bug-bounty program.

The revelations come two weeks after another zero-day previously disclosed by Kravets and researcher Matt Nelson was disputed by Valve, Steam’s parent company.

The flaw (CVE-2019-14743), which affects Windows versions of the client, concerns a privilege escalation (aka elevation of privilege or local privilege escalation) bug that makes it possible for other apps, and potentially malware, on a user’s computer to run code with system privileges.

As a result, a threat actor could exploit this vulnerability to remotely execute malicious code on the target device by elevating its permissions using Steam‘s system rights.

“Achieving maximum privileges can lead to much more disastrous consequences,” Kravets wrote. “For example, disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft [of] any PC user’s private data — is just a small portion of what could be done.”

The digital PC games storefront has over 90 million monthly active users, with Windows OS accounting for nearly 96.28 percent of all Steam installations.

Although Valve initially declined to resolve the vulnerability, Kravets’ public disclosure of the zero-day prompted the company to issue a fix on August 9 (“Fixed privilege escalation exploit using symbolic links in Windows registry”).

But it appears the patch didn’t solve the problem. As researcher Xiaoyin Liu detailed in a write-up, the fix can be bypassed to exploit the flaw again.

That’s not all. Kravets, who got barred from the HackerOne bug-bounty platform following the public disclosure, ended up finding a second privilege escalation flaw that allows malicious apps to gain admin rights through the Steam app.

Unlike the previous flaw — which used symbolic links (i.e. file shortcuts) to cause the device to launch a program with full privileges — the second zero-day stems from leveraging its admin permissions to make changes to the Steam installation folder structure and injecting a malicious executable.

Given Valve‘s botched Steam update and the company’s indifferent attitude to privilege escalation vulnerabilites, it will be interesting to see if it fixes them for real this time around.

“It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges,” Kravets noted. “Are you sure that a free game made of garbage by an unknown developer will behave honestly?”

Read next: Cryptojacking malware found in 11 RubyGem language repositories