Slashdot Mirror

← Back to Stories (view on slashdot.org)

Steam Protocol Opens PCs to Remote Code Execution

Posted by Unknown on from the basically-working-as-designed dept.

Via the H comes news of a possible remote attack vector using the protocol handler installed by Valve's Steam platform: "During installation, it registers the steam:// URL protocol which is capable of connecting to game servers and launching games ... In the simplest case, an attacker can use this to interfere with the parameters that are submitted to the program. For example, the Source engine's command line allows users to select a specific log file and add items to it. The ReVuln researchers say that they successfully used this attack vector to infect a system (PDF) via a batch file that they had created in the autostart folder. ... In the even more popular Unreal engine, the researchers also found a way to inject and execute arbitrary code. Potential attackers would, of course, first have to establish which games are installed on the target computer. "

19 of 128 comments (clear)

  1. Before anyone panics... by MachDelta · · Score: 3, Informative

    A (user side) solution from TFA:

    The issue can be limited by disabling the steam:// URL handler

    Sounds alright to me. I can't recall ever clicking a steam:// link anyways.

    1. Re:Before anyone panics... by Anonymous Coward · · Score: 2, Insightful

      Sounds alright to me. I can't recall ever clicking a steam:// link anyways.

      I'm sure a couple lines of basic javascript would be able to do that on your behalf though.

    2. Re:Before anyone panics... by sourcerror · · Score: 4, Informative

      If you want to place shortcuts to your desktop you will need it though.

    3. Re:Before anyone panics... by Gaygirlie · · Score: 2

      Because double-clicking a pretty icon is faster than hunting from Steam collections? Atleast I like to have the games I currently play on the desktop, though the ones I am not actively playing I remove from there.

    4. Re:Before anyone panics... by The+MAZZTer · · Score: 2, Informative

      If you have used Steam you have clicked on a steam:// link at some point. The built-in web browser uses links all over the place. The install button for installing your now-purchased games uses it. Every link that opens in a new browser window uses it.

    5. Re:Before anyone panics... by Happler · · Score: 2

      That is a setting in the play store for android. Easy to turn off.

    6. Re:Before anyone panics... by cbhacking · · Score: 2

      More to the point, while the GP may not have bothered to set up the steam:// URI association in the host Linux system, within the Wine environment it will be working. Now, granted, most people who use Wine for gaming probably aren't also using it for something like running IE4Linux, but if you *were* to do that, you would (potentially) be vulnerable.

      Admittedly, the risk is pretty damn minimal in that environment.

      --
      There's no place I could be, since I've found Serenity...
    7. Re:Before anyone panics... by cbhacking · · Score: 2

      For extra fun, which somehow didn't make it into the (atrociously bad) summary, those Install links can be used for exploits themselves. It turns out that there's a memory corruption bug in Steam (integer overflow on a malloc call), specifically in the .TGA image decoder. Steam URIs can be used to install a game from a "local cache" which can be at an arbitrary UNC path, including over the Internet (\\spoitserver.com\steam\steamexploit.tga) if the target server has Windows networking open to Internet traffic and set to permit anonymous access (neither is default, but you can configure it like that).

      So no, you really don't have to know of a game that the victim has installed, and unless you want to break a *ton* of Steam functionality, disabling the steam:// URI scheme isn't a very good work-around.

      --
      There's no place I could be, since I've found Serenity...
  2. Which games are installed... by black6host · · Score: 2

    From the summary:
    " Potential attackers would, of course, first have to establish which games are installed on the target computer. "

    Create a list of games by popularity, you're bound to find one of them somewhere. In other words, they may not be able to target a specific computer but the odds are good that they'd find many they could target. Even a specific computer, if you know anything about the owner, quite likely might have popular games x,y and z on it based the owner's preferences.....

    1. Re:Which games are installed... by amicusNYCL · · Score: 2

      It looks like this is an attack against the games itself, via command line parameter injection, so Skyrim would have to support command line options that would let the attacker do something useful to the system. It sounds like the Source engine is somehow vulnerable by supporting command line options to write to log files, and somehow the Unreal engine lets you execute arbitrary code from the command line. The new XCOM just came out though (and is awesome), I believe that uses the Unreal engine.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  3. Re:How is this an exploit? by Baloroth · · Score: 4, Informative

    I do not get how exactly this is an exploit. You need to create a batch file on the intended system start-up folder first. If you can do that. Why not just have the batch file execute a command to download a malicious file and execute it?

    Because you have the wrong order. The exploit can be used to create the batch file, which is then auto-executed when windows next starts (autoexec.bat).

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  4. Re:Why is this even on Slashdot by Scytheon3 · · Score: 5, Insightful

    The system is not already compromised. They are using the vulnerability to create the .bat file by specifying this as the log file for Team Fortress and then echoing commands into it.

  5. Re:Too late.. by Anonymous Coward · · Score: 3, Insightful

    Nonsense. Unless you count potentially buggy(buggier?) games with frequently painful install procedures, possible Trojans and viruses and often other game experience limitations.

    That hasn't been my experience actually. Most problems I ever had with games were caused by the DRM. Pirate versions eliminate that.

    Pirated games are only free if your time is worthless.

    In other words "I had a hard time with it so everybody else does too". That just isn't true.

    Besides we are talking about games here. Free time is assumed. A few seconds deleting an .exe and copying over the cracked version ONE SINGLE TIME just isn't a big deal. The problems I have had with DRM took up a lot more time than that.

    My experience with pirated games is so good that even if I buy the game I still install the pirate version. No offense but perhaps you are not technically competent in this area? Did you ever think maybe your personal experience is not universal?

  6. Re:Why is this even on Slashdot by Baloroth · · Score: 3, Informative

    The sentence is poorly phrased: what they mean is that they create the .bat file using some command line parameters (one of which dumps console output to the file of your choice, which could be "c:/autoexec.bat"). That then gets executed automatically on login, and boom, exploited.

    The solution is pretty easy: make browsers that open external programs for a link show what they are doing and exactly what the command is, and/or have steam show the same when it loads the protocol command. Steam could also refuse to pass command line parameters, but that limits the usefulness of the protocol in the first place (might be necessary, unfortunately).

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  7. Re:Why is this even on Slashdot by Briareos · · Score: 2

    Except that here they're using the ability to pass command line options to source engine games started via the steam URL handler to create their log file in a certain location with a certain name (like "foo.bat" in the startup folder) then using the echo command via the same URL parameter to log anything they want into that file - and I'm pretty sure a batch file containing "del /s c:\" in there won't be very much appreciated the next time the user logs on...

    --

    "I'm not anti-anything, I'm anti-everything, it fits better." - Sole

  8. URL handlers by 0123456 · · Score: 3, Insightful

    Oh look, yet another vulnerability caused by allowing web pages to start random applications on your system.

    Who ever thought that was a good idea?

  9. Re:Fixed the Title by TheLink · · Score: 2

    I recommend that people run Firefox as a different user from the user account they use to log in. On Windows you can use the runas command.

    You have to give your main user account full permissions to the browser user account, so that you can copy files that the browser downloads etc.

    Make sure firefox is installed using either the main or admin account, NOT the browser account. This prevents the browser account from doing too many changes to the executables. However this means you'll need to update the browser using the main/admin account, but this could be considered a feature not a bug ;).

    Once you do that if you get hit by a drive by, most of the usual startup stuff[1] will only take effect if you ever log in as the browser user account. But since you only log in as your normal main user account, the stuff doesn't run. If you ever need to run as the browser account, make sure you clean stuff up before you do. If you are using windows, load the registry hive to check etc.

    [1] Other stuff could be installed. If you're using Linux "crontabs" and "at" stuff might be able to be configured. However if you set stuff up correctly the damage is limited - since the browser account won't have access to your data. On Windows normal users can't use "at" by default.

    --
  10. Crazy by Barny · · Score: 2

    Uh, call me crazy, but I just checked the manager in firefox and steam links are set to 'ask first'. I tested, got a popup asking me if I want to run the link with application 'Steam'... unless it was something I wanted, I would generally click 'no'.

    Not a very good exploit, imho.

    --
    ...
    /me sighs
  11. Turn valve 90 degrees to shut-off position. by Kaz+Kylheku · · Score: 2

    Simples as that.