Steam, a popular video game platform is vulnerable to privilege escalation attacks. On Windows PCs, Steam creates installation directories with improper permissions.
This can let a user, an attacker, or worse, malware abuse Steam executables to escalate privileges.
This week, Will Dormann, a vulnerability analyst at CERT/CC tweeted “You probably shouldn’t make your install dir world-writable. Unexpected stuff could happen.”
In his tweet, Dormann was referring to how his vulnerability report on the issue was closed by Valve—the company behind Steam.
According to Dormann, the company cited that “file placement” attacks were out of scope and closed his vulnerability report without further action.
The analyst further advised in the same thread, “Don’t run games on systems you care about, folks.”
“My bug was marked duplicate of a bug that was closed a year and a half ago. I don’t get the impression that they’re fixing it.”
On digging deeper, it seems Steam has received similar reports before concerning privilege escalation vulnerabilities either via Windows registry attacks or through file permissions, that were all dismissed.
For example, an advisory for a five-year-old vulnerability, CVE-2015-7985, states that the weak default permissions on Steam installation folders grant Windows users in a group both read and write access.
This means an attacker or a malicious program can modify or replace steam.exe with an arbitrary malicious binary.
Since steam.exe typically launches itself automatically on start, if an administrator was to log onto a shared system, the malicious code (now disguised as steam.exe) would execute with full admin rights, which can wreak havoc on the system and the network it is present on.
Likewise, another user had tweeted last year how Steam’s VDF files could be abused to launch arbitrary executables and gain persistence.
It does not appear the company plans on fixing these trivially fixable, yet serious flaws anytime soon.
In the meantime, users should refrain from installing Steam on mission critical systems.
Security Report reached out to Valve for comment but we did not hear back.