03 January 2019

SmartTV Insecurity - details of vulnerabilities affecting Samsung D6000 series and Philips (2013 models) [27 May 2014]

This post is derived from the slides (page 35) of our presentation at PHDays IV in 2014:

The following are the referenced videos:

Attack Surface

  • As you might have guessed there are a lot of different ways to attack a SmartTV
  • To get a better understanding let’s take a look at a real world device
  • We will just focus on a subset of the device attack surface
  • To do that we take in consideration the following schema related to a Philips SmartTV
...

Attack Surface - WiFi


WiFi adapter of the TV acting as access-point listening for WiFi
connections.
The Miracast protocol is composed by out-of-band WiFi packets, protocols
and codecs.


A vulnerability in Miracast allows the attacker to access the TV from outside your house.


...

Attack Surface - LAN

  • Most of the SmartTV issues are related to services exposed via LAN:
  • UPNP
  • Video/Audio service (like DirectFB)
  • Various HTTP/HTTPS servers
  • Network remote controller
  • Media sharing
  • Status and information
  • First thing to try on your SmartTV is using NMAP:
  • You will see a number of different TCP and UDP ports open
  • Some of them awaiting for you to connect :]
  • If you try to send some junk data to these ports you might get some easy way to crash/reboot the TV, a starting point to investigate
  • The TV also scans the LAN, an attacker can passively exploit vulnerabilities


Real World Issues







Samsung #1 (1)

Date: 2012

Tested device: Samsung SmartTV D6000

Affected Service/Protocol: DMRND, an HTTP server listening on ports 52253 and 52396

Vulnerability: Directory Traversal, which allows to download any file available on the device except special files like those in /proc

Details: The server has a security check to allow people to download files having only whitelisted file extensions (jpg, png, ..). To bypass the check the attacker needs to append a NULL byte followed by the whitelisted extension:
  • http://SERVER:52235/../../etc/passwd%00.png




Samsung #1 (2)

  • Download all the filesystems from the remote TV
  • Download the filesystems related to all the connected USB devices






Samsung #1 (3)


  • TV controller configuration file, it contains the parameters used by the whitelisted remote controller
  • Configuration file used by the our PC program, we need only to copy the above parameters here
These fields are not part of the Ethernet packets, but are defined inside the protocol itself so it’s possible to spoof the IP, MAC address and hostname to allow an attacker in the network to impersonate the whitelisted TV controller





Samsung #1 (4)

  • Now we can control the TV when the victim is not watching
  • The attacker can install arbitrary malicious Apps on the TV using the “develop” account






Samsung #2 (1)

Date: 2012

Tested device: Samsung SmartTV D6000

Affected Service/Protocol: DLNA client

Vulnerability: Buffer overflow exploitable as soon as the device tries to download the icon image associated to a DLNA host






Samsung #2 (2)


NOTIFY * HTTP/1.1
Host: 239.255.255.250:1900
Location: http://192.168.0.3:56923/test.xml
NTS: ssdp:alive
Cache-Control: max-age=1800
Server: UPnP/1.0 DLNADOC/1.50 Platinum/0.6.8.0-bb
USN: uuid:00000000-0000-0000-0000-
000000000000::urn:schemas-upnp-org:device:MediaServer:1
NT: urn:schemas-upnp-org:device:MediaServer:1


Samsung #2 (3)


<iconList>
    <icon>
        <mimetype>image/png</mimetype>
        <width>48</width>
        <height>48</height>
        <depth>32</depth>
<url>/images/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaa [...]


Samsung #3

Date: 2012

Tested device: Samsung SmartTV D6000

Vulnerability: Persistent Endless Loop

Details: The controller packet contains a string, which is used to identify the controller itself. A malformed string will trigger an endless loop. The only way to fix this issue is to access the device service mode before the reboot.



Philips Miracast (1)

  • Found in 2014
  • ALL the Philips TV 2013 models are affected
  • Silently exploitable probably from Summer 2013
  • No PIN
  • No authorization request
  • Hardcoded fixed password… Miracast” :)
  • Full access to the TV services just like in LAN
  • Exploiting of directory traversal in JointSpace
  • Abuse of the available services
  • Let’s check what we can do…


Philips Miracast (2)

  • Controlling the TV from remote 

Philips Miracast (3)

  • Sending audio and video to the TV… the TV is talking to you!



Philips Miracast (4)

  • Stealing configuration files and cookies via a directory traversal public from September 2013 but unfixed



Conclusion

  • SmartTV are insecure
  • SmartTV are a perfect target for “monitoring” a specific target: a person or even a company (TVs are everywhere)
  • Exploiting them usually requires to be in the LAN or some user interaction
  • Currently it’s difficult to have a vulnerability for owning many models of TV, so you must focus on the one of your target

08 December 2018

Exploiting Steam Lobbies and Matchmaking [18 Sep 2014]

 

EXPLOITING STEAM LOBBIES AND MATCHMAKING

BY LUIGI AURIEMMA

Description of the security vulnerabilities that affected the Steam lobbies and all the games using the Steam Matchmaking functionalities.

Revision 1 

Introduction

STEAM

"Steam is an internet-based digital distribution, digital rights management, multiplayer, and communications platform developed by Valve Corporation. It is used to distribute games and related media from small, independent developers and larger software houses online." (link)

It's not easy to define Steam because it's not just a platform for buying games but also a social network, a market for game items, a framework for integrating various functionalities in games, an anti-cheat, a cloud and more.

But the most important and attractive feature, from a security point of view, is its incredible diffusion (link)(link).

MATCHMAKING AND LOBBIES

Steam offers a simple and efficient way to allow games to provide online multiplayer functionalities to their users by using Steam Matchmaking.

Steam Matchmaking can be compared to a chat server where any user can create his own room (the “lobby”) that will appear in a public online list and other players can join it. 

It’s possible to configure the lobby in various ways, for example adding custom parameters like name and game data, maximum number of joinable players, making it non-joinable or private or for friends only, sending chat messages, running a game server and more. 

The interaction with this matchmaking system is granted by the set of Steamworks APIs contained in the IsteamMatchmaking class, so any game can use this feature. 

Many games use the Steam lobbies for online gaming: Counter Strike Global Offensive, Left for Dead 1 and 2, Borderlands 2, Payday 2, the Codemasters games (Dirt, Grid and F1 series) and any multiplayer game sold on Steam that is not based on the Source engine or proprietary solutions. 

Steam Matchmaking gained some notoriety in the last years due to the “migration” performed by the developers/publishers of many games from a master server architecture, private or hosted by Gamespy, to the Steam one. This solution granted some of them to survive from the Gamespy shutdown of May 2014.



Steam lobbies and security risks

HOW THE STEAM LOBBIES WORK

In technical terms the concept of the Steam lobbies is quite simple:
  • An user starts a lobby (CreateLobby)
  • He sets some lobby parameters (SetLobbyData)
  • The other users can view the new lobby when they query the list of public lobbies (GetLobbyByIndex)
  • The users join the lobby (JoinLobby)
  • At this point joining the game server (which is separate from the Steam lobby) is game dependent, some games use SetLobbyGameServer, others get the lobby owner’s SteamID (GetLobbyOwner), others put that ID in a lobby parameter, others specify the IP and port of the server instead of the SteamID and so on
  • When the clients have the owner’s ID, they can join his game server using the Steam Networking API (SendP2Ppacket)
What is visualized in-game to the players is not different than any other “master server“-based game, additionally Steam automatically sorts the lobbies based on the geographic distance between the lobby’s owner and the user who requested the list to allow the quick-matchmaking feature (auto-joining servers with best ping and maybe with players of same nationality). 



SECURITY TESTING AND EFFECTS

The vulnerabilities in the Steam Matchmaking have been found during a research commissioned by Epic Games regarding the third-party libraries and services used in their Unreal Engine 4

The tests have been started the 25th July 2014. 

Some issues were discovered with the following security effects:
  • Takeover of the lobby owned by other users
  • Forcing all the players in a lobby to leave it and joining an inexistent game server
  • Setting custom parameters of any lobby
  • Making any lobby not publicly visible
  • Performing these operations without even joining the lobby


The main effect of these vulnerabilities, affecting the Steam back-end network, is that an attacker can deny the online gaming of several known and played multiplayer games with a simple and silent attack performed in a couple of seconds.

VULNERABLE VERSIONS

The Steam back-end network that handles the lobbies was vulnerable till the 17th September 2014.

NON-VULNERABLE VERSIONS

Currently all the reported issues have been fixed.
An undefined number of old games has been left vulnerable (“whitelisted”) due to how they implement the Steam Matchmaking, probably because their P2P oriented gaming requires that any user can act as co-owner of the lobby. For these games may be released game-related patches in future if necessary.
No further details are available.



Description of the issues

SETLOBBYGAMESERVER DENIAL OF SERVICE

Joining a game server, after having joined a lobby, is a game-dependent operation. 


Steamworks in its SpaceWar example game, used to show to the game developers how to implement the Steamworks API, suggests to use the SetLobbyGameServer API and automatically joining the server upon the execution of a specific callback.

When that API is executed Steam sends an event to all the users in the target lobby that will execute the LobbyGameCreated_t callback and adds the following lobby parameters:
  • __gameserverIP – IP address of the game server or 0
  • __gameserverPort – port of the game server or 0
  • __gameserverSteamID – SteamID of the user running the server or 0

Valve suggests that the default behavior is leaving the lobby and connecting to the game server:
//-----------------------------------------------------------------------------
// Purpose: A game created a game for all the members of the lobby to join,
//          as triggered by a SetLobbyGameServer()
//          it's up to the individual clients to take action on this; the usual
//          game behavior is to leave the lobby and connect to the specified game server
//-----------------------------------------------------------------------------

struct LobbyGameCreated_t
{
    enum { k_iCallback = k_iSteamMatchmakingCallbacks + 9 };

    uint64 m_ulSteamIDLobby;         // the lobby we were in
    uint64 m_ulSteamIDGameServer;    // the new game server that has been created or found for
                                     // the lobby members
    uint32 m_unIP;                   // IP & Port of the game server (if any)
    uint16 m_usPort;
};


That’s the default behavior that happens with SpaceWar, AlienSwarm, Borderlands 2 and some other games. 


That API can be called not only by the owner of the lobby but also by any other user that joins that lobby, this is the reason why this feature can be abused to force the other players to leave the lobby trying to join an arbitrary IP or SteamID. 


Performing this operation against all the available lobbies of an affected game, will result in the absence of online lobbies and in clients that try to connect to inexistent servers. In some games like Alien Swarm there are no visible effects for the owner of the lobby and other players, they will silently leave the lobby (that will be automatically deleted when left by the owner) but nothing is shown to the players.



TAKEOVER OF STEAM LOBBIES

Steamworks provides various ways to the users for controlling and customizing their lobbies:

- SetLobbyData and DeleteLobbyData
Adds, modifies and deletes the lobby parameters, for example “name”


- SetLobbyMemberLimit
Limits the amount of users who can join the lobby


- SetLobbyType
Allows to set the lobby as:
  • Private: invisible to the public list and to the friends
  • FriendsOnly: invisible to the public list, but visible to the friends
  • Public: default
  • Invisible: allows an user to join two lobbies 

SetLobbyJoinable
Allows to make the lobby non-joinable


- SetLobbyGameServer
The API seen before 


The following are some real examples of Steam lobbies taken from Borderlands 2, F1 2013, XCom-Enemy-Unknown and Payday 2, they are useful to understand better what are the lobby parameters:
lobby 109775241376664452 - 459508612 393216 8 1
  BuildUniqueString: BORDERLANDS2-1.8.3W
  CurrMission: 7
  CurrPlotMission: 7
  DlcFlag: 1
  DlcMapContentId: 0
  DlcMapPackageId: 0
  gameMode: 0
  HostExpLevel: 31
  IsPublic: 1
  OwningPlayerName: TRUCKERBOX
  PlayThrough: 1
  __gameserverIP: 0
  __gameserverPort: 0
  __gameserverSteamID: 765611981062*****

lobby 109775241376111944 - 458956104 393216 8 1
  268435458: 65365
  536870936: 0
  SteamLobbyGameMode: 0
  SteamLobbyGameType: 0
  SteamLobbyHostId: 765611980157*****
  SteamLobbyHostName: ICEMAN
  SteamLobbyOpenSlots: 15
  SteamLobbyVisibility: 0

lobby 109775241373641018 - 456485178 393216 8 1
  268435468: 0
  268435469: 0
  268435470: 90
  268435471: 10000
  268435472: 0
  268435474: 0
  268435488: 1724
  268435489: 28398179
  32779: 0
  553648128: 9212610293214#24968160127#
  bIsDedicated: False
  BotPlayerCount: 0
  bUsesStats: True
  GameSettings: XComOnlineGameSettingsDeathmatchRanked
  GameTags: XComMPLobbyGame
  MapName: XComShell
  MaxPlayerCount: 1
  NumOpenPrivateConnections: 0
  NumOpenPublicConnections: 1
  NumPrivateConnections: 0
  NumPublicConnections: 2
  OwningPlayerId: 765611980191*****
  OwningPlayerName: Kharon
  PasswordProtected: 0
  ServerName: Kharon
  SteamEngineVersion: 8916
  __gameserverIP: 0
  __gameserverPort: 0
  __gameserverSteamID: 900914655904*****

lobby 109775241376713535 - 459557695 393216 8 1
  difficulty: 5
  drop_in: 1
  job_class_max: 80
  job_class_min: 80
  job_id: 28
  kicking_allowed: 1
  level: 57
  lobby_type: public
  min_level: 0
  num_players: 1
  owner_id: 765611980432*****
  owner_name: rendoman
  payday2_v1.12.4: true
  permission: 1
  state: 3
  __gameserverIP: 0
  __gameserverPort: 0
  __gameserverSteamID: 765611980432*****

These APIs can be called by any user, not only the lobby owner and, moreover, they can use used even from outside the lobby. That means an attacker is able to silently delete any online lobby without even joining them and resulting in a multiplayer game without online matches to join.


The proof-of-concept

A proof-of-concept is available as reference for the issues:
Please note that the issues have been fixed and that proof-of-concept no longer works, except for the whitelisted games.

FAQ

What was the impact of these issues?
A single attacker, without particular network or bandwidth requirements, was able to make many multiplayer games unplayable online with zero lobbies/matches to which connecting. The attack was silent and performed in some seconds without even joining the target lobbies.


Were these issues critical?
Yes, without Steam lobbies it’s not possible to play online with many multiplayer games sold on Steam.


Are these issues fixed now?
Yes, all the issues have been definitely fixed the 17th September 2014.
Some old games have been left whitelisted by Valve due to backward compatibility (basically their multiplayer has been designed to work in that way) and so they may be still vulnerable “by design”.


Was the attack performed against the users’ computers?
No, the Steam lobbies are handled by the Steam back-end network.


Does the attacker need to own the target games to attack them?
It depends by the game, retrieving the list of online lobbies is an operation usually available to who owns the game but some games can be queried even from accounts that don’t own them.


Was/is the game X vulnerable?
There is a short list of some tested games in the Introduction section.
If you want to know if a game uses the Steam lobbies you can use some tools, while if you are interested to test it you can use the proof-of-concept provided in the previous section of this paper.



History

  • 25 Jul 2014 Security issues initially found
  • 04 Aug 2014 Vulnerabilities reported to Valve after more tests on various games
  • 12 Aug 2014 The APIs can be no longer called from outside the lobbies without joining
  • 23 Aug 2014 Some mitigations implemented by Valve, still possible to make lobbies private
  • 17 Sep 2014 After many e-mails all the remaining issues have been fixed, only the owners of the lobbies can perform operations on them

Steam Service Security [10 Jul 2014]

 

STEAM SERVICE SECURITY

BY LUIGI AURIEMMA

How a malware or an exploit can use the Steam local service to escalate its
privileges.
 
ReVuln Ltd.
http://revuln.com
@revuln
info@revuln.com

Revision 1

Introduction

STEAM

"Steam is an internet-based digital distribution, digital rights management, multiplayer, and communications platform developed by Valve Corporation. It is used to distribute games and related media from small, independent developers and larger software houses online." (link)

It's not easy to define Steam because it's not just a platform for buying games but also a social network, a market for game items, a framework for integrating various functionalities in games, an anti-cheat, a cloud and more.

But the most important and attractive feature, from a security point of view, is its incredible diffusion (link)(link).

STEAMSERVICE

In 2007 Valve introduced a new local Windows service in Steam for handling the tasks that require Administrator privileges and maintaining the main client process Steam.exe under the normal limited privileges of the current user.

This is a common practice adopted by many software developers moreover after Microsoft introduced the UAC technology from Windows Vista. In fact the secondary job of such service is avoiding to annoy the user with continuous Windows popups requiring the confirmation for using higher privileges.

The service is used also for monitoring the processes of the running games and it's part of Valve anti-cheat (VAC).

In Steam the local service that performs these operations is called "Steam Client Service", a Manual service with SYSTEM privileges. The service can be started by any user but it will terminate immediately if some requirements are not met.

The service is automatically started by Steam when launched and it remains active till Steam is working.

The "Steam Client Service" is a required component.

WHY IT’S INTERESTING

What's interesting about this service is that it can be abused by malicious programs (malware) for performing various tasks with high privileges and that's quite important considering that Steam is one of the most diffused software available.

VULNERABLE VERSIONS

Steam package versions: 1404163764
Steamservice.*: 2.30.30.94

NON-VULNERABLE VERSIONS

None.
As a personal project, this document has been released publicly without contacting Valve.

How Steamservice works

The service uses an IPC interface for communicating with the Steam process, the access to the interface is performed using events and shared memory. Named pipes were used in past versions.

Exist many ways to perform IPC and the following are the current steps for starting to communicate with the SteamService:
  • create a Global\Valve_SteamIPC_Class event
  • create a Steam3Master_SharedMemFile mapped file
  • create a Steam3Master_SharedMemLock event
  • launch the service, any user without privileges can do it
  • open the Global\SteamClientService_SharedMemLock event
  • open the Global\SteamClientService_SharedMemFile mapped file
  • take the handles from the structure located on the mapped file
Note that such steps are necessary only if we use a stand-alone tool to access SteamService, so if Steam is already running we can inject our code in its process or we can just kill it and use the IPC or replace some Steam libraries and so on.

The service will verify that our process has the steam.exe name and that its own steamservice.dll shared library (C:\Program Files (x86)\Steam\bin\steamservice.dll) is correctly signed by Valve.

If steamservice.dll doesn't have a signature or it's signed with a different certificate, the service will terminate immediately.

No signature verification – DLL hijacking

THE ISSUE

The verification of the signature of steamservice.dll is performed for security reasons because the folder where is located the service executable cannot be modified by the user but the Steam folder used by the dll is fully writable and cannot be trusted.

But this check is completely useless because steamservice.dll depends by other libraries located in the Steam folder that are not verified at all and can be replaced by a malware to execute its code inside the service with SYSTEM privileges.

The following are the libraries that can be used by the malware:
  • crashhandler.dll
  • dbghelp.dll
  • tier0_s.dll
  • vstdlib_s.dll
  • dnsapi.dll (Windows dll searched in the local folder)
  • version.dll (Windows dll searched in the local folder)
  • winmm.dll (Windows dll searched in the local folder)
DLL hijacking is an issue which is quite common and it’s perfect to escalate privileges to SYSTEM, at this point a malware requires nothing else for its job.

TESTING

Testing this behaviour is very simple:
  • terminate Steam
  • create your own dll
  • copy your dll in the Steam folder with the name winmm.dll
  • start the service: sc start "Steam Client Service"
Example of custom winmm.dll executing cmd.exe as SYSTEM:


Abusing the service for privileged tasks

OUR GOAL

Even if it’s easy to execute the own code as SYSTEM with the previous design issue, this paper would like to focus on how it's possible to abuse a legitimate service without using security vulnerabilities and design issues. So let's take a look at what is possible to do with its features in a scenario in which DLL hijacking is not possible or should be avoided.

THE IPC INTERFACE

The IPC protocol is composed by some commands, the following are the functions of the main one:
  • IClientInstallUtils::SetUniverse
  • IClientInstallUtils::AddShortcut
  • IClientInstallUtils::RemoveShortcut
  • IClientInstallUtils::RemoveFromGameExplorer
  • IClientInstallUtils::AddRichSavedGames
  • IClientInstallUtils::RemoveRichSavedGames
  • IClientInstallUtils::AddToMediaCenter
  • IClientInstallUtils::RemoveFromMediaCenter
  • IClientInstallUtils::AddUninstallEntry
  • IClientInstallUtils::RemoveUninstallEntry
  • IClientInstallUtils::AddToFirewall
  • IClientInstallUtils::RemoveFromFirewall
  • IClientInstallUtils::RegisterSteamProtocolHandler
  • IClientInstallUtils::FixupSteamClientShortcuts
  • IClientInstallUtils::RunInstallScript
  • IClientInstallUtils::AddInstallScriptToWhiteList
  • IClientInstallUtils::GetInstallScriptExitCode
  • IClientModuleManager::LoadModule
  • IClientModuleManager::UnloadModule
  • IClientModuleManager::CallFunctionAsync
  • IClientModuleManager::CallFunction
  • IClientModuleManager::PollResponseAsync
  • IClientProcessMonitor::RegisterProcess
  • IClientProcessMonitor::UnregisterProcess
  • IClientProcessMonitor::TerminateProcess
  • IRegistryInterface::BGetValueUint
  • IRegistryInterface::BSetValueBin
  • IRegistryInterface::BDeleteValue
  • IRegistryInterface::BDeleteKey
  • IRegistryInterface::BKeyExists
  • IRegistryInterface::BSetValueStr
  • IRegistryInterface::BSetValueUint
  • IRegistryInterface::BGetSubKeys
  • IRegistryInterface::BGetValues
  • IRegistryInterface::BEnumerateKey
  • IRegistryInterface::BGetValueStr
  • IRegistryInterface::BGetValueBin
  • IRegistryInterface::BenumerateValue


THE EXPLOITABLE COMMANDS 

 

AddShortcut
It's used for placing a “link” file anywhere we desire, it’s commonly used by games for placing their links on the Desktop of all the users.
If there is an Administrator account in the system, it's possible to create a link to our malware in the Startup folder to automatically execute it with such privileges:
  • before Vista - c:\Documents and Settings\Administrator\Start Menu\Programs\Startup\evil.lnk
  • Vista/Win7/8 - c:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evil.lnk
When we call the command RemoveShortcut the extension of the link file must be ".lnk" but with AddShortcut we have no restrictions and so we can also use it to overwrite any file on the system deleting the original content. 

AddToFirewall
Function used for adding a firewall rule to allow a specific program to receive incoming TCP connections and UDP packets, a solution for giving network access to a malware.

TerminateProcess
It terminates any desired process by specifying its PID.

It can be used for terminating the privileged processes of  various defensive solutions, for example before downloading the malicious code that may be identified by them or to avoid logging and so on.

If we kill the lsass.exe process we will force the system to reboot, useful if we make certain changes to the registry and the filesystem. 

BSetValue*
Functions that write data in the registry but are limited by a set of whitelisted registry locations, so the service can write only under the registry keys listed in the file registrykeys.vdf.

This file is located in the Steam folder and so it's writable but it contains a digital signature "kvsignatures" at its end, this signature is verified by the service.

Even if there is such limitation it's still possible to have room for executing the own code with higher privileges when it's performed the manual uninstalling of software and in some cases during their updating.

One of the whitelisted keys is “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" so we are able to set WindowsInstaller to zero and the UninstallString value with the path of our malware, and we can perform this operation for all the available registry entries with the effect of executing the malware automatically when one of them is uninstalled. 

RunInstallScript
This command is used together with AddInstallScriptToWhiteList for automatically executing executables decided by the installscript.vdf  script files  of the games, for example to install the necessary  pre-requisites like DirectX, VC runtime and so on (the interesting aspect is that these IPC commands are used by Steam only when it runs in “Big Picture” mode, instead normally the Steam application launches the steamservice.exe executable (so doesn’t interact with the service) using the /installscript argument and the user must confirm the privileged operation). 

AddInstallScriptToWhiteList adds the executables listed in the script, usually called installscript.vdf, into the whitelist and RunInstallScript executes them only if the same locations are used also in the runasadmin.vdf script.

The installation scripts have a digital signature and currently doesn’t seem possible to execute scripts that don’t have this field, but an attacker can use an already signed legit script to execute his own code located in any folder he desires.
In fact if we specify an unexistent game ID, Steam will consider the current folder as “installation folder” of the game allowing us to launch batch and executables located in any local and remote webdav/shared folder we desire.

The executables will have the same privileges of the Steam Service, SYSTEM.

Possible steps for an attacker

For the design issue related to the unverified libraries in the Steam folder it's enough to put our malware in the Steam folder with a specific filename and we will have SYSTEM privileges immediately after we start the "Steam Client Service". 

If this issue will be fixed or limited in future and we must rely on the features of the service, we may think to the following steps (remember that they are performed ever with SYSTEM privileges):
  • execute programs
  • use TerminateProcess to kill some antivirus processes, please note that this is not enough for defensive solutions that work via drivers 
  • download the core of the malware
  • use AddToFirewall to add a firewall rule for the malware
  • check if there is an Administrator account and use AddShortcut to put a link to the malware in its StartUp folder to automatically execute it when he will login
  • use the BSetValue* functions to perform the Uninstall trick and being able to execute the malware when a software will be uninstalled by the user
Other features of the service may be abused, those are just the main ones.


The proof-of-concept

A proof-of-concept tool has been created to test the IPC interface, the following are the links for the source code and the binary:
It’s a simple command-line tool called Steam.exe (necessary) that allows to call the service functions listed above and passing them any argument you desire, for example:
  • Steam.exe AddToFirewall "c:\windows\notepad.exe" "malicious_firewall_rule"
  • Steam.exe TerminateProcess 12345678
The tool works also with a text file containing the list of commands to execute, in the provided package there is an example called example_commands.ini which contains some example commands to test but please don’t use it if you have no idea of what it does, example:
  • Steam.exe example_commands.ini
There is also an archive called example_execution.zip which contains all the necessary files to execute a custom executable with SYSTEM privileges using the RunInstallScript function. You need to create a temporary partition or ramdisk on Z:\ for the quick test or you have to edit both the text files example_commands.ini and RunAsAdmin.vdf replacing z:\ with the full path you would like to use. 

Then launch “Steam.exe example_commands.ini” and you should see calc.exe spawning through a batch script, so you can easily edit the “Microsoft .NET Framework 4.0.cmd” script to execute what you desire. 

Please note that the IPC mechanism used in the tool is not complete and so the Steam Client Service process will remained freezed and you MUST kill it manually. This tool must be considered only a proof-of-concept.


FAQ

Is this issue a security vulnerability?
There is a design issue consisting in the missing verification of the signatures of the shared libraries loaded by the Steam Service that allows dll hijacking.
Additionally the service can be abused to perform various operations and launching executables as SYSTEM without using security vulnerabilities.

Can the service be accessed from remote?
No.

What operating systems are affected?
The issue is not dependent by the system, anyway both Windows 7 and Windows 8 have been tested.
On the operating system before Vista, like Windows XP, the Steam Client Service was not strictly necessary but Steam needs to have Administrator privileges in that case.

What's the main scenario for this issue?
It’s a typical post-exploitation scenario, for example a malware/exploit running with the privileges of the current limited user can abuse the Steam Service for gaining SYSTEM privileges or performing some operations with such high privileges with the target of hiding itself and remaining persistent in the system.

What can be done by a malware after it gets SYSTEM privileges?
It's possible to have full access to the Windows registry and the disk allowing the malware to hide itself and disabling any security software just like the Administrator account.

Is this issue critical?
No, but the huge diffusion of Steam and the possibility of becoming SYSTEM without security vulnerabilities or complex exploits and executing certain operations through a trusted service is quite interesting for a malware.

Do I need to have Steam or the Steam Client Service running on my computer for being vulnerable?
No, it's enough that Steam has been installed, doesn't matter when and if it's used or not.

What about SteamMachine and the Linux/MacOSX/PlayStation3 versions of Steam?
Sorry, they have not been tested.

How can Steam rebuild the registrykeys.vdf file?
When Steam is launched it automatically verifies all the local files and restores them by taking the original copies from the lzma compressed ZIP files located in the Package folder, that's why registrykeys.vdf is restored (and not rebuilt) by Steam everytime it gets modified.
Steam doesn't contain any private key or certificate.

Why SteamService.exe is located in both Steam\bin and Common Files\Steam?
The service is located in “C:\Program Files (x86)\Common Files\Steam” which is not writable by the normal limited user and it’s the exact copy of the one located in the bin folder of Steam. When the service runs it checks if there is a different steamservice.exe file in the bin folder (which is writable by the user), then checks the digital signature of that file and then executes it with the /Update argument. The update is executed with the same privileges of the service (SYSTEM), that’s why the new executable will be copied in the “Common Files\Steam” folder without user interaction, first as SteamServiceTmp.exe and then overwriting the original SteamService.exe.
That’s how the update process of the service works.

Have you reported these issues to Valve?
No.


History

  • Mar 2013 initial research on this topic
  • 01 Jun 2014 returned on the research to confirm the issues
  • 10 Jul 2014 public release