Security news, analysis, expert opinions on cybersecurity and technology

Steam gamers: your Windows PC is prone to privilege escalation attacks

Multiple privilege escalation vulnerabilities in Stream gaming service that remain unpatched can make it easy for malware and malicious threat actors to gain persistence and escalate permissions on Windows systems.

Ax Sharma November 25, 2020 3 min read

Steam, a popular video game platform is vulnerable to privilege escalation attacks. On Windows PCs, Steam creates installation directories with improper permissions.

This can let a user, an attacker, or worse, malware abuse Steam executables to escalate privileges.

This week, Will Dormann, a vulnerability analyst at CERT/CC tweeted “You probably shouldn’t make your install dir world-writable. Unexpected stuff could happen.”

In his tweet, Dormann was referring to how his vulnerability report on the issue was closed by Valve—the company behind Steam.

According to Dormann, the company cited that “file placement” attacks were out of scope and closed his vulnerability report without further action.

Me: You probably shouldn't make your install dir world-writable. Unexpected stuff could happen.
Valve: Steam attacks that require file placement are out of scope. Ticket closed.

Don't run games on systems you care about, folks. pic.twitter.com/oGMcDIyn6L
— Will Dormann (@wdormann) November 23, 2020

The analyst further advised in the same thread, “Don’t run games on systems you care about, folks.”

“My bug was marked duplicate of a bug that was closed a year and a half ago. I don’t get the impression that they’re fixing it.”

On digging deeper, it seems Steam has received similar reports before concerning privilege escalation vulnerabilities either via Windows registry attacks or through file permissions, that were all dismissed.

For example, an advisory for a five-year-old vulnerability, CVE-2015-7985, states that the weak default permissions on Steam installation folders grant Windows users in a group both read and write access.

This means an attacker or a malicious program can modify or replace steam.exe with an arbitrary malicious binary.

Since steam.exe typically launches itself automatically on start, if an administrator was to log onto a shared system, the malicious code (now disguised as steam.exe) would execute with full admin rights, which can wreak havoc on the system and the network it is present on.

Likewise, another user had tweeted last year how Steam’s VDF files could be abused to launch arbitrary executables and gain persistence.

fun fact, steam .vdf files can be used to call arbitrary executables (once) upon a games initial setup/cache validation/uninstall #persistence pic.twitter.com/Q8ZF8afFw2
— checky llmander (@checkymander) November 4, 2019

It does not appear the company plans on fixing these trivially fixable, yet serious flaws anytime soon.

In the meantime, users should refrain from installing Steam on mission critical systems.

Security Report reached out to Valve for comment but we did not hear back.

About the author

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

See author's posts