Slashdot Mirror
Steam Protocol Opens PCs to Remote Code Execution
Via the H comes news of a possible remote attack vector using the protocol handler installed by Valve's Steam platform: "During installation, it registers the steam:// URL protocol which is capable of connecting to game servers and launching games ... In the simplest case, an attacker can use this to interfere with the parameters that are submitted to the program. For example, the Source engine's command line allows users to select a specific log file and add items to it. The ReVuln researchers say that they successfully used this attack vector to infect a system (PDF) via a batch file that they had created in the autostart folder. ... In the even more popular Unreal engine, the researchers also found a way to inject and execute arbitrary code. Potential attackers would, of course, first have to establish which games are installed on the target computer. "
If you want to place shortcuts to your desktop you will need it though.
I do not get how exactly this is an exploit. You need to create a batch file on the intended system start-up folder first. If you can do that. Why not just have the batch file execute a command to download a malicious file and execute it?
Because you have the wrong order. The exploit can be used to create the batch file, which is then auto-executed when windows next starts (autoexec.bat).
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
The system is not already compromised. They are using the vulnerability to create the .bat file by specifying this as the log file for Team Fortress and then echoing commands into it.