Slashdot Mirror

← Back to Stories (view on slashdot.org)

Steam Protocol Opens PCs to Remote Code Execution

Posted by Unknown on from the basically-working-as-designed dept.

Via the H comes news of a possible remote attack vector using the protocol handler installed by Valve's Steam platform: "During installation, it registers the steam:// URL protocol which is capable of connecting to game servers and launching games ... In the simplest case, an attacker can use this to interfere with the parameters that are submitted to the program. For example, the Source engine's command line allows users to select a specific log file and add items to it. The ReVuln researchers say that they successfully used this attack vector to infect a system (PDF) via a batch file that they had created in the autostart folder. ... In the even more popular Unreal engine, the researchers also found a way to inject and execute arbitrary code. Potential attackers would, of course, first have to establish which games are installed on the target computer. "

128 comments

  1. Before anyone panics... by MachDelta · · Score: 3, Informative

    A (user side) solution from TFA:

    The issue can be limited by disabling the steam:// URL handler

    Sounds alright to me. I can't recall ever clicking a steam:// link anyways.

    1. Re:Before anyone panics... by casings · · Score: 0

      Well for an ideal exploit, you wouldn't know.

    2. Re:Before anyone panics... by Anonymous Coward · · Score: 2, Insightful

      Sounds alright to me. I can't recall ever clicking a steam:// link anyways.

      I'm sure a couple lines of basic javascript would be able to do that on your behalf though.

    3. Re:Before anyone panics... by sourcerror · · Score: 4, Informative

      If you want to place shortcuts to your desktop you will need it though.

    4. Re:Before anyone panics... by Anonymous Coward · · Score: 1

      steam://nakedmileycyruspics.ua would be OK, right?

    5. Re:Before anyone panics... by Anonymous Coward · · Score: 0

      I never did understand why steam ask if I want to make shortcuts.
      I can already start them from steam, why would I want additional shortcuts cluttering up my desktop?
      Then again, my desktop wallpaper is an empty black screen.

    6. Re:Before anyone panics... by interval1066 · · Score: 1

      Whatever your wp is, I agree, shortcuts are a pain in the ass. For me they're a short-term convinience and I get rid of them when I'm done with the task of the moment. When installers ask me if I want a short-cut to their wiz-bang application I cringe.

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
    7. Re:Before anyone panics... by Anonymous Coward · · Score: 0

      Some people use the desktop since it's quicker than opening the game list and double-clicking there, just like some people will put their favorite programs on their tray.

    8. Re:Before anyone panics... by Gaygirlie · · Score: 2

      Because double-clicking a pretty icon is faster than hunting from Steam collections? Atleast I like to have the games I currently play on the desktop, though the ones I am not actively playing I remove from there.

    9. Re:Before anyone panics... by The+MAZZTer · · Score: 2, Informative

      If you have used Steam you have clicked on a steam:// link at some point. The built-in web browser uses links all over the place. The install button for installing your now-purchased games uses it. Every link that opens in a new browser window uses it.

    10. Re:Before anyone panics... by The+MAZZTer · · Score: 1

      Also: Steam will reregister the steam:// protocol every time you start it up, since it would be very broken without it.

    11. Re:Before anyone panics... by afidel · · Score: 1

      It's easier to click on the desktop link then it is to launch steam, go to library, find your game, right click and do launch.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    12. Re:Before anyone panics... by Anonymous Coward · · Score: 0

      No, I haven't. I run steam exclusively in Wine and I've never bothered to manually set up the steam:// association. I make all my purchases in a browser, and none of the fancy "click HERE to play your game!" links work.

    13. Re:Before anyone panics... by SlappyMcgee · · Score: 1

      The games I currently play are available from right clicking the steam icon in the task bar - they are at the top of the list. I hate desktop icons.

    14. Re:Before anyone panics... by PIBM · · Score: 1

      Steam's always running, tons of windows are opened in a very specific order spanning quite a lot of desktop space. I'm never seeing my desktop files. Opening the start menu (windows button) then typing the first few letters of what I want to launch is how I start anything not in steam.

      Beside, you can simply double click on your game name in steam

    15. Re:Before anyone panics... by wjousts · · Score: 1

      When installers ask me if I want a short-cut to their wiz-bang application I cringe.

      I cringe more when they don't ask and just do it anyway. Serious pet-peeve.

    16. Re:Before anyone panics... by Anonymous Coward · · Score: 0

      not true, these files exist on your hard drive and can be run like anything else. some specific games may refuse to launch without that, but i have not found one yet.

    17. Re:Before anyone panics... by dotHectate · · Score: 1

      When installers ask me if I want a short-cut to their wiz-bang application I cringe.

      I cringe more when they don't ask and just do it anyway. Serious pet-peeve.

      It seems that everything on Android does this. The first thing I do after installing something is to remove the shortcut from the main pages. I have a whole screen with nothing but my apps - why would I want that on my main screen too?

      --
      Patience is a virtue, but haste is my life.
    18. Re:Before anyone panics... by Happler · · Score: 2

      That is a setting in the play store for android. Easy to turn off.

    19. Re:Before anyone panics... by Anonymous Coward · · Score: 0

      yes, it is. the first thing i did after getting my galaxy nexus was to google how to turn off the desktop shortcuts. if i wanted a cluttered mess of icons i would have gotten an iOS device.

    20. Re:Before anyone panics... by HiThere · · Score: 1

      Anyway, that's not needed for a shortcut. Just a simple shell script will suffice. You can also attach an icon to it and stick it in your taskbar. No need for a URL to launch a local application.

      N.B.: This comment may not apply to gnome3. I've heard some pretty strange stories about the built-in limitations that *it* has. (No task bar? You're kidding, right?)

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    21. Re:Before anyone panics... by xmousex · · Score: 1

      click on steam icon in tray, game list scrolls up, click the name of the game you want. its only two clicks..

    22. Re:Before anyone panics... by afidel · · Score: 1

      I don't leave steam running you insensitive clod.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    23. Re:Before anyone panics... by firesyde424 · · Score: 1

      There is a setting to prevent that under the App Store

    24. Re:Before anyone panics... by HideyoshiJP · · Score: 1

      It admittedly took me a while to find that setting as I mistakenly assumed it would be in the settings app, as opposed to a setting with the Play store itself. I clearly was not thinking that day.

    25. Re:Before anyone panics... by Talderas · · Score: 1

      I've had problems with that on Windows 7. When I fresh open steam after a restart sometimes it won't show any games recently played. Then after playing a game that game will show up. Then later, after something happens, I'll get my 6 most recent games to pop up. The unreliability of the method means I no longer use it. I also don't care enough to figure out why it does it.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    26. Re:Before anyone panics... by viperidaenz · · Score: 1

      .... or embedding it in an > tag in an ad that targets people who search for the particular game being exploited. Perhaps some nice targeted advertising for "unreal walkthrough" (and all the other games that use the unreal engine)

    27. Re:Before anyone panics... by viperidaenz · · Score: 1

      Weird... I never had to turn it off. Didn't know the option existed.

    28. Re:Before anyone panics... by Anonymous Coward · · Score: 1

      No, I haven't. I run steam exclusively in Wine and I've never bothered to manually set up the steam:// association. I make all my purchases in a browser, and none of the fancy "click HERE to play your game!" links work.

      Great.

      So, did you download the game outside of Steam somehow, or did you click an Install Game button at some point? Because if you clicked said install button from, say, within Steam's Store "application" (which is itself a Webkit browser), then you clicked on a steam:// link.

    29. Re:Before anyone panics... by cbhacking · · Score: 2

      More to the point, while the GP may not have bothered to set up the steam:// URI association in the host Linux system, within the Wine environment it will be working. Now, granted, most people who use Wine for gaming probably aren't also using it for something like running IE4Linux, but if you *were* to do that, you would (potentially) be vulnerable.

      Admittedly, the risk is pretty damn minimal in that environment.

      --
      There's no place I could be, since I've found Serenity...
    30. Re:Before anyone panics... by X0563511 · · Score: 1

      Or just right-click the steam icon in the tray. It keeps several of your recent launches at the top ready to quick-launch.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    31. Re:Before anyone panics... by X0563511 · · Score: 1

      In contrast, I have never seen an icon that I did not create or that did not come that way out of the box.

      You probably have that option in the play store turned on that the other folks are mentioning.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    32. Re:Before anyone panics... by humanrev · · Score: 1

      There's no reason to believe that you need something like a steam:// handler to launch via shortcut. Surely Steam can be coded such that shortcuts instead point to the Steam executable with a parameter to the relevant game ID (e.g. C:\Steam\Steam.exe -launch 9520). This would bypass the issue of abuse at least partially.

      The purpose for the handler is only because Steam is part browser, and so launching stuff within Steam is made easier via the handler. But for shortcuts? Shouldn't be necessary.

      --
      Most people on Slashdot are fucking idiots.
    33. Re:Before anyone panics... by cbhacking · · Score: 2

      For extra fun, which somehow didn't make it into the (atrociously bad) summary, those Install links can be used for exploits themselves. It turns out that there's a memory corruption bug in Steam (integer overflow on a malloc call), specifically in the .TGA image decoder. Steam URIs can be used to install a game from a "local cache" which can be at an arbitrary UNC path, including over the Internet (\\spoitserver.com\steam\steamexploit.tga) if the target server has Windows networking open to Internet traffic and set to permit anonymous access (neither is default, but you can configure it like that).

      So no, you really don't have to know of a game that the victim has installed, and unless you want to break a *ton* of Steam functionality, disabling the steam:// URI scheme isn't a very good work-around.

      --
      There's no place I could be, since I've found Serenity...
    34. Re:Before anyone panics... by hairyfeet · · Score: 0

      Well I'd argue this is why you shouldn't allow JavaScript in your application, there are too many ways to hijack JavaScript and one page filled with JavaScript malware and its all she wrote, there have even been multiplatform JavaScript malware pages looking for common attack vectors like Java and Flash.

      Frankly what we need is somebody, maybe Google since they seem to be doing a lot of research lately, to come up with a replacement for JavaScript. It was never designed for security and they just keep bolting on more and more features which makes it more and more risky. In the end with JavaScript you are trusting third party code from multiple sources to not be malicious and that's just a bad assumption when the stakes can be so high.

      What we need is a new language designed to run with absolute least permissions and to have as little info as possible about the system its running on. I mean look at how much info you can get through JavaScript now? The simple fact is you remove JavaScript support from a system and its ability to get pwned drops right off the chart, that tells me this is a problem that needs to be dealt with instead of simply building more bling on top of JavaScript.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    35. Re:Before anyone panics... by Anonymous Coward · · Score: 0

      The feature is new to ICS/JB. Gingerbread devices never had that.

    36. Re:Before anyone panics... by kermidge · · Score: 1

      "Steam's always running...."

      Huh? How does it hide from top?

      When I start it via Desktop shortcut, it shows up in taskbar and system monitor process tab. When I right-click and exit it from taskbar, it's gone. Do you mean to say it's hidden or masked as another process?

      "/home/myusername/.cxoffice/Steam/desktopdata/cxmenu/Desktop.C^5E3A^5Fusers^5FPublic^5FDesktop/Steam.lnk" is the command for the shortcut. Is there something in there that I should be leery of? [sorry 'bout the control codes, didn't edit or look them up]

    37. Re:Before anyone panics... by PIBM · · Score: 1

      launch steam, go to library, find your game, right click and do launch.

      I was merely pointing out that for at least some people, starting steam is unnecessary as we/they keep it running and even keep it starting on launch. Finding your game is easy when you mark them, or know where they are just because you remember where they are ;) Right click to launch too was unnecessary. Usually, games are 3 quick mouse clicks away.

    38. Re:Before anyone panics... by kermidge · · Score: 1

      Oh, OK. After I start Steam, I usually left-click on taskbar icon and select game from my default Library tab. While I sometimes leave it running for days, I notice there's a tendency for the connection to drop, so I have to re-start it anyway. Costs me a couple of extra clicks, but the arthritis is not bad yet. [grin]

    39. Re:Before anyone panics... by Anonymous Coward · · Score: 0

      Hot grits on Natalie would be more steamy.

  2. Which games are installed... by black6host · · Score: 2

    From the summary:
    " Potential attackers would, of course, first have to establish which games are installed on the target computer. "

    Create a list of games by popularity, you're bound to find one of them somewhere. In other words, they may not be able to target a specific computer but the odds are good that they'd find many they could target. Even a specific computer, if you know anything about the owner, quite likely might have popular games x,y and z on it based the owner's preferences.....

    1. Re:Which games are installed... by cod3r_ · · Score: 1

      or just assume skyrim ... profit

    2. Re:Which games are installed... by Anonymous Coward · · Score: 0

      Javascript.

      Last time I checked they including advanced technology such as loops and collection data types.

    3. Re:Which games are installed... by fuzzyfuzzyfungus · · Score: 1

      From the summary:
      " Potential attackers would, of course, first have to establish which games are installed on the target computer. "

      Create a list of games by popularity, you're bound to find one of them somewhere. In other words, they may not be able to target a specific computer but the odds are good that they'd find many they could target. Even a specific computer, if you know anything about the owner, quite likely might have popular games x,y and z on it based the owner's preferences.....

      Worse, unless there is absolutely no way to have the process fail silently, there isn't really much penalty attached to iterating your merry way through quite a long list of possibilities...

      Even if a message of some kind does pop up, what's Joe User going to do under the flood of error windows all suddenly stealing focus?

    4. Re:Which games are installed... by Anonymous Coward · · Score: 0

      From the summary:
      " Potential attackers would, of course, first have to establish which games are installed on the target computer. "

      Create a list of games by popularity, you're bound to find one of them somewhere. In other words, they may not be able to target a specific computer but the odds are good that they'd find many they could target. Even a specific computer, if you know anything about the owner, quite likely might have popular games x,y and z on it based the owner's preferences.....

      Well since steam already tells you what games users have purchased, you can be sure at least some of them are installed.

    5. Re:Which games are installed... by Wandering+Voice · · Score: 1

      No Skyrim here, but I wonder if HL.exe is even more common. I can't remember the last time I played Half life, Half Life 2, or DOD, but it loads every time for TF2.

    6. Re:Which games are installed... by gman003 · · Score: 1

      It has to be the specific game - it goes by the Steam game ID, not by the executable name (which is hl2.exe for *most* Source games).

    7. Re:Which games are installed... by amicusNYCL · · Score: 2

      It looks like this is an attack against the games itself, via command line parameter injection, so Skyrim would have to support command line options that would let the attacker do something useful to the system. It sounds like the Source engine is somehow vulnerable by supporting command line options to write to log files, and somehow the Unreal engine lets you execute arbitrary code from the command line. The new XCOM just came out though (and is awesome), I believe that uses the Unreal engine.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    8. Re:Which games are installed... by Happler · · Score: 1

      Or just look up user names on Steam community to see who has not marked themselves as "private". It shows all games that they own in their profile and what they have played recently.

    9. Re:Which games are installed... by cod3r_ · · Score: 1

      Dishonored does too. That just came out and is pretty popular.

    10. Re:Which games are installed... by cbhacking · · Score: 1

      The summary is wrong/stupid. Not only is it poorly worded, it also adds BS like the line you quoted.

      The researchers found an exploit in Steam itself. Specificlaly, in the image decoder used to show the game logo during game installation. Since steam:// URIs can be used to tell Steam to install a game from a "local" download, but allows specifying arbitrary UNC paths (which can specify Internet addresses), you can set up a server that hosts a corrupted image file and post steam:// links that use your server as an install location. No need to wonder about games the target may have installed...

      --
      There's no place I could be, since I've found Serenity...
  3. Too late.. by phrackwulf · · Score: 1

    PANIC!!!! PANIC!!! PANIC!!!

    --
    What would Richard Feynman do, if he were here right now? He'd do some math and he'd follow through!
    1. Re:Too late.. by Anonymous Coward · · Score: 0

      PANIC!!!! PANIC!!! PANIC!!!

      So ... once again the pirates have a better experience?

    2. Re:Too late.. by trum4n · · Score: 1

      always. - a reluctant steam user

    3. Re:Too late.. by Anonymous Coward · · Score: 0

      Actually Pirates need to worry about a whole different set of vulnerabilities. Since they are downloading and manually running many executables to install and launch a game they subject themselves to a high risk of running malicious code that's been injected into said executables. There are ways to avoid the malicious code, wait several weeks and find the safest download per reviews/download numbers, pirate your friends paid for copy, or steal a copy from the store.

    4. Re:Too late.. by Anonymous Coward · · Score: 3, Insightful

      Nonsense. Unless you count potentially buggy(buggier?) games with frequently painful install procedures, possible Trojans and viruses and often other game experience limitations.

      That hasn't been my experience actually. Most problems I ever had with games were caused by the DRM. Pirate versions eliminate that.

      Pirated games are only free if your time is worthless.

      In other words "I had a hard time with it so everybody else does too". That just isn't true.

      Besides we are talking about games here. Free time is assumed. A few seconds deleting an .exe and copying over the cracked version ONE SINGLE TIME just isn't a big deal. The problems I have had with DRM took up a lot more time than that.

      My experience with pirated games is so good that even if I buy the game I still install the pirate version. No offense but perhaps you are not technically competent in this area? Did you ever think maybe your personal experience is not universal?

    5. Re:Too late.. by Hal_Porter · · Score: 1

      Yeah, no way someone would put malicious code in Keygen or cracked executable.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    6. Re:Too late.. by TheRealGrogan · · Score: 1

      In actual fact, that's quite rare in piracy circles, so cut out the FUD. These groups crack programs with pride.

    7. Re:Too late.. by CastrTroy · · Score: 1

      If they can take the time to remove the DRM, they can also take the time to insert other code which does bad things. Movies and music are probably pretty safe when downloaded from pirate sites, but I wouldn't trust anything that's an executable. Anyone with the skill to remove the DRM probably has enough skill to insert a virus and make it hard to detect.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    8. Re:Too late.. by Anonymous Coward · · Score: 1

      Are you stupid on purpose? Or a troll? Or some sort of shill? Or just don't know what you're talking about....

      I've been pirating games since the days of the 1200 baud modem. And in all that time. In all those THOUSANDS of games.
      I've never found one trojan, virus, or other infected thing in a pirated game. Never. Not once. I am either the most lucky user in the world. OR damm few pirated things are infected. Since i don't feel that lucky.. I'm going with option #2.

      However i HAVE purchased a game cd that came with a trojan as part of the install. The game company said sorry but you're shit out of luck. No refund.

      Your entire idea is stupid really. Who the fuck is going to screw with distribution of a 4gig or larger package game to infect someone? That's alot of work in an age when you can infect just about anyone with a simple website. Or program, plugin, other... That is much smaller than a game.

      If you wanted to target game users.. Putting out an infected trainer or cheat would work better and take far less resources. And that happens ALL THE TIME.
      No piracy involved at all either.

      The only valid arguments aginst piracy are either legal. Or moral.
      There are no technical reasons that piracy is bad. No matter how people try to spin it as such. And like everywhere else... With piracy you won't get a virus if you pay attention. As for you bit about install? LOL.

      And if you wanna get picky.... i trust the pirates FAR more than i trust any company on the planet. The companies all want my money. and they have shown they are willing to do anything legal or illegal to get it.. but the pirates havent wanted a penny yet.

    9. Re:Too late.. by Anonymous Coward · · Score: 0

      By "pirated" you mean "cracked"? Personally, I buy what I crack and I crack what I buy, because I value my time and I prefer my software to be safe and reliable. The time spent cracking a game is, in my experience, less than the hassle of going through DRM just once, let alone every single time I want to play the game. I've often found that bugs and stability issues are fixed by applying a crack, but the number of times this has introduced a bug is, so far, 1 (Beyond Good and Evil retail).

    10. Re:Too late.. by Anonymous Coward · · Score: 0

      Actually, keygens often contain malicious code. Cracks from the well-known groups, however, tend to be safer than running the game as the publisher provided it.

    11. Re:Too late.. by cbhacking · · Score: 1

      I did semi-volunteer tech support for my university dorm floor. Every single instance of malware somebody came to me for help cleaning - and there was one at least once per month, on a floor of 70 guys - came from pirated software (typically Photoshop, not games, but sometimes games too). Some were from the outside Internet, some were from the DC++ system that everybody on campus seemed to be using, but they were pervasive.

      One of the miggest examples of in-the-wild OS X malware was a trojan in pirate copies of iWork that would add the machines into a botnet.

      Malware in pirated software isn't just a hypothetical; it's something that is very, very common. There are, I'm sure, groups who have a good reputation for removing DRM and not inserting their own money-maker (which is what malware is these days; it's all about money) but I'm sure there are also people who take that "clean" code, inject malware, and then re-distribute it. Undeniably, the malware gets into those game installers somehow!

      --
      There's no place I could be, since I've found Serenity...
    12. Re:Too late.. by Hal_Porter · · Score: 1

      I was being sarcastic. As far as I can see the only way keygen authors can make money is via malware.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    13. Re:Too late.. by Anonymous Coward · · Score: 0

      Some people care about stuff OTHER than money.

      I know its hard to believe. but it's true.

    14. Re:Too late.. by L4t3r4lu5 · · Score: 1

      I've lost 2 days of "free time" thanks to the way Offline Mode works with Steam. You either cache your credentials before going offline, as though you're taking your laptop on a trip, or you are locked out of your Steam games totally until you can access the internet again.

      Try it: Log in to Steam, unplug your network cable / disconnect from wireless, and restart Steam. Offline mode won't even load. So, that one time when you have some free time but can't watch iPlayer / YouTube / Hulu etc because the internet is down? Can't play Steam games either.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    15. Re:Too late.. by tibman · · Score: 1

      This just in: Downloading and running exe's from a torrent you found online could allow remote code execution as well.

      --
      http://soylentnews.org/~tibman
    16. Re:Too late.. by tibman · · Score: 1

      The groups may up a clean crack but that doesn't mean every copy of that crack is clean. Anyone can modify it and re-up it.

      --
      http://soylentnews.org/~tibman
    17. Re:Too late.. by Anguirel · · Score: 1

      Many Steam-downloaded single-player games can be launched directly, and do not require Steam to be up or connected to play. I checked a random sampling of mine and didn't actually encounter any that didn't have their own separate online-required DRM but required steam to play. Launching them manually is not exactly straight forward, but for many (I'd say most, but I haven't done a study or even really hit a large enough sample size of mutliple genres and publishers) offline Steam-purchased-and-downloaded games you can certainly play them even if the Internet is out and Steam won't launch.

      --
      ~Anguirel (lit. Living Star-Iron)
      QA: The art of telling someone that their baby is ugly without getting punched.
  4. Fixed the Title by NinjaTekNeeks · · Score: 0

    "Installations of Steam vulnerable to a drive by download by users of mozilla based browsers with certain games installed within steam"

    1. Re:Fixed the Title by Briareos · · Score: 1

      Considering that URL handlers are executed by just about any browser on Windows and it's Safari and other Webkit-based ones that silently execute URL handlers instead of asking the user for confirmation - what's with the fixation on Firefox?

      --

      "I'm not anti-anything, I'm anti-everything, it fits better." - Sole

    2. Re:Fixed the Title by oji-sama · · Score: 1

      "Installations of Steam vulnerable to a drive by download by users of mozilla based browsers with certain games installed within steam"

      Yeah, sure, whatever you say.

      Browsers such as Internet Explorer, Chrome and Firefox display an alert when steam:// URLs are called; only Safari passes them on without any warning.

      --
      It is what it is.
    3. Re:Fixed the Title by NinjaTekNeeks · · Score: 1

      "According to the results reported in Table 1 all the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine are a perfect vector to perform silent Steam Browser Protocol calls. "

      Yeah, I read it too fast, my mistake.

    4. Re:Fixed the Title by oji-sama · · Score: 1

      And I missed that sentence, thanks. (Although, if I ever see a Launch Application message in Firefox that I wasn't expecting, I certainly won't click OK...)

      --
      It is what it is.
    5. Re:Fixed the Title by TheLink · · Score: 2

      I recommend that people run Firefox as a different user from the user account they use to log in. On Windows you can use the runas command.

      You have to give your main user account full permissions to the browser user account, so that you can copy files that the browser downloads etc.

      Make sure firefox is installed using either the main or admin account, NOT the browser account. This prevents the browser account from doing too many changes to the executables. However this means you'll need to update the browser using the main/admin account, but this could be considered a feature not a bug ;).

      Once you do that if you get hit by a drive by, most of the usual startup stuff[1] will only take effect if you ever log in as the browser user account. But since you only log in as your normal main user account, the stuff doesn't run. If you ever need to run as the browser account, make sure you clean stuff up before you do. If you are using windows, load the registry hive to check etc.

      [1] Other stuff could be installed. If you're using Linux "crontabs" and "at" stuff might be able to be configured. However if you set stuff up correctly the damage is limited - since the browser account won't have access to your data. On Windows normal users can't use "at" by default.

      --
    6. Re:Fixed the Title by oji-sama · · Score: 1

      I recommend that people run Firefox as a different user from the user account they use to log in.

      Is there a reason that only Firefox users should do this? Based on the PDF, the only difference (in this case) is that some of the other browsers display the URL as well...

      --
      It is what it is.
    7. Re:Fixed the Title by TheLink · · Score: 1

      Reason is I haven't managed to get the "runas" thing to work for Google Chrome and recent versions of IE.

      Chrome and IE do sandboxing, I don't know whether that's enough for exploits like this. In contrast if you run firefox as restricted User A, and it somehow can run stuff as User B the OS has a serious bug. There have been such bugs, but they are a lot rarer than bugs in browsers, pdf viewers, flash etc.

      For banking stuff I run a different browser using yet another user account. So they can pwn my facebook browser, but the hacker has to be really targeting me to pwn my bank browser. While they can pwn me if they really want, from what I see they are more likely to target the bank - more $$$ for the effort. Even I have found security issues with online bank sites before, so it's not like banks are that much harder to hack than me.

      --
    8. Re:Fixed the Title by oji-sama · · Score: 1

      Chrome and IE do sandboxing, I don't know whether that's enough for exploits like this.

      I don't think so, because it is not a browser exploit as such. They are just delivering the URI to Steam. I wonder if the restricted account has the protocol registered as well... Well, at least it wouldn't have Steam configured and logged in.

      --
      It is what it is.
    9. Re:Fixed the Title by Billly+Gates · · Score: 1

      Or how about just run Firefox and Steam as a standard user? You shouldn't be running as an administrator anyway in this day and age and you are just asking for touble otherwise.

      I do this by default on all my Windows 7 installation where I create a Super User account and then last create a regular user account for that person and explain to use that one by default and never user the other admin account unless you are installing a scanner or a new software package.

      This wont fully protect you as a buffer overflow or priveldge escalation can get around this but it adds another layer and another annoying step for the hackers. Most hackers know people are stupid and run as admin at home so you should be safe from this.

      Another recommendation is to drop Firefox totally. I know I may piss some people off reading this but IE and Chrome have sandboxing built in. FF is behind in this area and require noscript and other disruptive add-ons to achieve the same security. I hated Sandboxie before I started using Chrome.

      --
      http://saveie6.com/
    10. Re:Fixed the Title by cbhacking · · Score: 1

      IE7+, when running in its sandbox ("Protected Mode"), will pop up a second warning message when clicking a link that invokes an external program. It doesn't really tell you anything that the first message didn't, except that the program will execute outside of the Protected Mode sandbox, but it's another chance to realize something is wrong and cancel it.

      --
      There's no place I could be, since I've found Serenity...
    11. Re:Fixed the Title by TheLink · · Score: 1

      Doh. If you do that when you get pwned it's trivial for the malware to set things up so that it runs whenever you login.

      Whereas with my way, it is much harder for the malware to do that. It could perhaps set itself to run whenever the browser runs - plugin/extension, but it has no access to your main user account. It only has access to what you allow the browser account to access.

      And who but you is even talking about running stuff as administrator? If you install stuff as admin, but run stuff as some other user, that makes it harder for the executables to be changed.

      --
  5. How is this an exploit? by ZiakII · · Score: 1, Insightful

    I do not get how exactly this is an exploit. You need to create a batch file on the intended system start-up folder first. If you can do that. Why not just have the batch file execute a command to download a malicious file and execute it?

    Not sure what the real issue is...

    1. Re:How is this an exploit? by Anonymous Coward · · Score: 0, Insightful

      The real issue would be with your reading comprehension skills. Try reading it again.

    2. Re:How is this an exploit? by Baloroth · · Score: 4, Informative

      I do not get how exactly this is an exploit. You need to create a batch file on the intended system start-up folder first. If you can do that. Why not just have the batch file execute a command to download a malicious file and execute it?

      Because you have the wrong order. The exploit can be used to create the batch file, which is then auto-executed when windows next starts (autoexec.bat).

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    3. Re:How is this an exploit? by Anonymous Coward · · Score: 0

      As stated in the article :

      "For example, the Source engine's command line allows users to select a specific log file and add items to it."

      That means: Specify something like "c:\windows\startup\somename.bat" as the 'log' file and "add items to it" (the batch commands).

    4. Re:How is this an exploit? by Anonymous Coward · · Score: 0

      Have they actually done this, or is this theoretical? Source games tend to spit a ton of crap and error messages into the console, and I'd think that would mess up a batch file.

    5. Re:How is this an exploit? by Anonymous Coward · · Score: 0

      The batch language is so resilient that most garbage doesn't stop it from reaching a valid line lower down.

      CAPTCHA: inasmuch. How relevant.

    6. Re:How is this an exploit? by Anonymous Coward · · Score: 0

      They're creating the batch file in the startup (start menu\programs\startup) folder. It could be named anything and it'd still run, not just autoexec.

    7. Re:How is this an exploit? by Kalriath · · Score: 1

      Write it to a Perl script then. You've got at least a 75% chance that the garbled crap ends up being valid executable code somewhere.

      (Perl. The only language where YGT$#WQAYGTyAEHQY compiles).

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    8. Re:How is this an exploit? by Anonymous Coward · · Score: 0

      somename.bat is not a log file
      If the study meant all file types and not just designated log files, the study is erroneously written.

  6. Why is this even on Slashdot by Wattos · · Score: 0

    From TFA:

    Our choice for exploiting this bug is to create a .bat file in the Startup folder of
    the user account which will execute our commands injected through +echo at the
    next login of the user on the system. There is also an interesting scenario against
    dedicated servers by specifying the motd.txt of the game as logfile and launching
    the cvarlist command that will dump all the game variables in such file that is
    visible to any player who joins the server. Team Fortress 28 is one of the most
    played games based on this engine and it’s free-to-play.

    They system is already compromised at this point. Why do we need the steam protocol?

    Also, for the love of god, please stop calling these people security researchers.

    1. Re:Why is this even on Slashdot by Malenx · · Score: 1

      Agree, I can't see how this exploit would work without a previously compromised system. They are also relying on users to click on bad links to get the process started. How is this at all new?

    2. Re:Why is this even on Slashdot by Scytheon3 · · Score: 5, Insightful

      The system is not already compromised. They are using the vulnerability to create the .bat file by specifying this as the log file for Team Fortress and then echoing commands into it.

    3. Re:Why is this even on Slashdot by Baloroth · · Score: 3, Informative

      The sentence is poorly phrased: what they mean is that they create the .bat file using some command line parameters (one of which dumps console output to the file of your choice, which could be "c:/autoexec.bat"). That then gets executed automatically on login, and boom, exploited.

      The solution is pretty easy: make browsers that open external programs for a link show what they are doing and exactly what the command is, and/or have steam show the same when it loads the protocol command. Steam could also refuse to pass command line parameters, but that limits the usefulness of the protocol in the first place (might be necessary, unfortunately).

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    4. Re:Why is this even on Slashdot by Briareos · · Score: 2

      Except that here they're using the ability to pass command line options to source engine games started via the steam URL handler to create their log file in a certain location with a certain name (like "foo.bat" in the startup folder) then using the echo command via the same URL parameter to log anything they want into that file - and I'm pretty sure a batch file containing "del /s c:\" in there won't be very much appreciated the next time the user logs on...

      --

      "I'm not anti-anything, I'm anti-everything, it fits better." - Sole

    5. Re:Why is this even on Slashdot by Anonymous Coward · · Score: 0

      Team Fortress 28? Man, after how long it took to produce the first sequel, they really got their crap together.

    6. Re:Why is this even on Slashdot by TheRealGrogan · · Score: 1

      Windows NT based systems have come with file permissions for a long time. Remove write permissions from the user and global startup folders. Yes, all write permissions, even for the user "System" (I hate anything that uses the startup folder anyway and wouldn't allow anything in there)

      Or what about programs like that "Tea Timer" (Spybot Search and Destroy) or others that block things from getting in startup? (I always thought Tea Timer to be a silly nuisance, never to be activated, but here's an instance where it would help)

      Attack foiled.

      Personally I am not worried about this, for I use Windows only for games. The chances of me going to a bad URL while in Windows are near zero. Besides, now that the cat is out of the bag, Valve will probably find a way to mitigate this with one of the next client updates.

    7. Re:Why is this even on Slashdot by Billly+Gates · · Score: 1

      Which is why the old adage DO NOT RUN AS ROOT is applicable.

      When I install a fresh copy of Windows 7 I create the user name God or Super User and then after everything is patched and software is installed I add a second account with just standard/limited permissions.

      Windows 8 goes a step further and limits your account to regular user by default. You get a UAC everytime if you want to change something. I should be fine iwth this since I only have read-only access to any settings as I only run as a standard user.

      I wish more Windows XP/7 users did this. Running as a non standard user is not asking for trouble. While it wont protect you from rootkits, buffer overflows, or priveldege esculation attacks, it will surely protect you from exploits. Still the URL is entered by the hackers so you will be vulnerable if you run as admin so be warned.

      --
      http://saveie6.com/
    8. Re:Why is this even on Slashdot by cbhacking · · Score: 1

      It's going to be hard for Valve to mitigate; most of the bugs found are in games that Valve doesn't develop, often even games that don't run Valve's game engine. Don't let the shit-heap of a summary fool you; there are ton of attacks you can do if you can pass artbitrary parameters to games. The whole "script in the startup folder" thing is *one* way that you could do this attack using *one* game engine (which happens to have been developed by Valve). The researchers list a bunch of other exploits too, ranging from memory corruption bugs to games which will install update packages from arbitrary locations specified on the command line. Game developers are, by and large, *terrible* at security.

      --
      There's no place I could be, since I've found Serenity...
    9. Re:Why is this even on Slashdot by Anonymous Coward · · Score: 0

      a .bat file is not a log file
      therefore not possible

    10. Re:Why is this even on Slashdot by adolf · · Score: 1

      The solution is pretty easy: make browsers that open external programs for a link show what they are doing and exactly what the command is, and/or have steam show the same when it loads the protocol command.

      Because Little Johnny knows how to grok that shit, and wants to click something other than whatever button that means "GTFO, I just want you to do the thing I told you to do, you whiny bastard infernal machine!"

      (Except, he doesn't.)

      --
      Kid-proof tablet..
  7. URL handlers by 0123456 · · Score: 3, Insightful

    Oh look, yet another vulnerability caused by allowing web pages to start random applications on your system.

    Who ever thought that was a good idea?

    1. Re:URL handlers by Anonymous Coward · · Score: 0

      Same person it always is: someone who was trying to take a monster shortcut.

  8. Dont have to "establish" a list - try them all by Gothmolly · · Score: 1

    Try all the popular games, you're likely to get 1 hit - and that's all you need.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Dont have to "establish" a list - try them all by Barny · · Score: 1

      Yeah, and when I get thousands of popups to execute steam links, I will just close the tab and send a report to google that it is an attack site...

      --
      ...
      /me sighs
    2. Re:Dont have to "establish" a list - try them all by Anonymous Coward · · Score: 0

      And how will you close the tab with all the popups stealing focus every time a new one is created? But it doesn't matter, at that point you've already been attacked.

    3. Re:Dont have to "establish" a list - try them all by Anonymous Coward · · Score: 0

      No he has not- steam:// links do not auto-execute, you have to give them permission. Even if you do give them permission this attack vector then requires a computer restart BEFORE checking your startup folder for rogue batch files. Of note most anti-virus/anti-malware programs will freak out if exactly such an event will take place.

      Next unless you are using a browser stuck in last century popups stealing focus until you can't do anything is kind of a thing of the past, all your popups open in tabs, close the master window and you shut down that site.

      This is still a big deal and some sort of security enhancement for steam is required to prevent this sort of abuse.

  9. DDoS Steam URL's? by Anonymous Coward · · Score: 0

    Has anyone tried to DDoS a steam://* URL? Might be funny.

    1. Re:DDoS Steam URL's? by Elbart · · Score: 1

      Sure, go ahead. Have fun.

    2. Re:DDoS Steam URL's? by Kalriath · · Score: 1

      Steam URLs don't contain hostnames, because they run things on your PC. The only funny thing would be how dumb a person that tries it is.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  10. Crazy by Barny · · Score: 2

    Uh, call me crazy, but I just checked the manager in firefox and steam links are set to 'ask first'. I tested, got a popup asking me if I want to run the link with application 'Steam'... unless it was something I wanted, I would generally click 'no'.

    Not a very good exploit, imho.

    --
    ...
    /me sighs
    1. Re:Crazy by Anonymous Coward · · Score: 0

      I think you're imagining the attack BACKWARDS.

    2. Re:Crazy by Anonymous Coward · · Score: 0

      The thing you seem to have missed is that the attackers are targeting the malformed steam link precisely to be in that "something I wanted" category.
      Click. Game Over.
      i.e. a popular game you are likely to have and play (sort of goes along with that "popular" qualifier, no?)

      The solution is for applications to only be allowed to create/write files in a separate data-only filesystem/directory tree.
      That won't happen because you can't fix existing applications that don't do this.
      And we all know how well leaving your system security up to the whims of whatever the OS/application programmer thinks is appropriate has been working out.

      IMHO, certain files, such as C:\autoexec.bat are absolutely "knowable" by operating system designers as critical system files, and the OS should have strong access controls and escalated privilege protections in place for any modifications to such a crucial file. Particularly where NTFS and extended attribute filesystems are widely used.

  11. Yay! Mandatory Binding Arbitration! by Anonymous Coward · · Score: 0

    So glad I didn't accept that new Mandatory Binding Arbitration EULA. That means steam doesn't even work on my computer anymore.

    And for the rest of you, too bad no matter what happens you can't sue Valve! Suckers... :^D

  12. Turn valve 90 degrees to shut-off position. by Kaz+Kylheku · · Score: 2

    Simples as that.

  13. Re:Why the DRM icon? by maharvey · · Score: 1

    Wow I never thought of that! But so true...

  14. Why bother? by Anonymous Coward · · Score: 0

    And why wouldn't the DRM already put code in that does bad things? Already does, really.

    Maybe that game distributor will delete the driver for your DVD-RW in case you think you can copy the game.

    Or root you like Sony did.

  15. but are you paranoid enough? by Anonymous Coward · · Score: 0

    I thought the link to the PDF in the summary was a nice touch.

  16. Details of an exploit in an exploitable format by Anonymous Coward · · Score: 0

    Am i the only one that sees the irony in detailing an exploit for steam in a pdf file; one of the most exploited formats that has ever existed thanks to adobe?

    If i were still using adobe reader i think i'd rather open an unknown exe than pdf.

  17. It's real (read the PDF) by cbhacking · · Score: 1

    It's actually quite simple in this case, though: you can specify, on the command line, a log file (with full path and extension). Then, you can specify "echo" commands which will be written to the log file. These lines will appear at the top of the log, before any of the game's usual log spew. So yes, you can guarantee that the lines for "download this arbitrary executable and run it" appear at the top of the batch script.

    If you want to, you can even then put an exit instruction in the script, so the user doesn't even see the script window full of game spew. Of course, by that time they'd already be owned anyhow...

    --
    There's no place I could be, since I've found Serenity...
  18. con_logfile fixed? by VGPowerlord · · Score: 1

    Valve just pushed out an update for Half-Life 2: Deathmatch, Day of Defeat: Source, and Team Fortress 2 that is supposed to fix the con_logfile bug in those games.

    Unfortunately, their other multiplayer games remain unpatched, most notably Counter-Strike: Source and Counter-Strike: Global Offensive.

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  19. Two notes by Anonymous Coward · · Score: 0

    The study suggests and relies upon the fact that the victim:

    1. Has acquired already malicious content (e.g. an autostart .bat command set).
    2. Has no security knowledge and does stupid things like allowing random escalated privileges, UAC control prompt bypasses and (successful socially engineered attacks) knowingly runs remotely acquired code.

    All software has the kind of vulnerabilities as the study describes about Steam. If the attacker already has access to the victim's computer by the means of (1) and (2), there is no reason why to make things complicated by utilizing Steam's weaknesses. You'd have 100% access anyway to all parts of the computer.

  20. Re:Why the DRM icon? by Anonymous Coward · · Score: 0

    Steam is DRM. Like just about every other piece of DRM before it, steam has security holes.

    So Steam does bad things (prevent[1] you from playing the games you stupidly bought legally instead of downloading the cracked version), and it does even more bad things (allow people to control your computer).

    This makes Steam no different from other DRM. The people who have been praising Steam for not being as bad as other forms of DRM have now been proven wrong.

    [1] Read the posts about being unable to "go offline" with no internet connection available. When I have no internet connection available, that's when I have nothing better to do than play games.

  21. Steam Community, Wot? by Anonymous Coward · · Score: 0

    Potential attackers would, of course, first have to establish which games are installed on the target computer.

    Steam community, wot?

  22. Pretty impractical exploits by Anonymous Coward · · Score: 0

    While these exploits are things that should be fixed, it's not as if they are practical to exploit, seeing the level of specific knowledge you need of the targeted user etc.; it's not like your average Flash zero-day, nobodies going to write a wide-scale exploit based on this, and it's not really notable for a Slashdot front page post (I'd go so far as to say the report is more attention seeking than substance).
    That said, Valve definitely should fix this up, and I'd say it won't be long before they do.

    I can speak from experience though, that all games are chock-full of exploitable code, and generally it never gets fixed because the developers don't judge it as economical to do so, until stuff is actually being exploited and becomes a nuisance to players (even then, usually stuff only gets exploited like that once devs have moved on from supporting the game in question, meaning nothing gets fixed); that would be a more noteworthy story to see on Slashdot.

    Disclaimer: Game developer and minor reverse-engineer enthusiast.