The popular Steam game client for Windows has a zero-day privilege escalation susceptibility that can let an attacker with inadequate consents to run a package as an administrator.
Privilege escalation susceptibilities are bugs that allow a user with partial rights to unveil an executable with raised, or administrative freedoms. As Steam has over 100 million recorded users and loads of them playing at a time, this is a grave risk that could be exploited by malware to achieve a variety of unwelcome activities.
Two researchers openly revealed a zero-day susceptibility for the Steam client after Valve found that the fault was “Not Applicable.” The company decided not to award a bug bounty or give a signal that they would rectify it, and told the investigators that they were not allowed to reveal it.
In a report published on Thursday, security researcher Felix was examining a Windows service related to the “Steam Client Service” that unveiled its executable with SYSTEM privileges on Windows. The researcher also observed that the service could be begun and stopped by the “User” group.
However, the archive key for this service was not writable by the “User” group, so it could not be adapted to unveil a different executable and raise its freedoms to an administrator.
After Felix revealed the susceptibility in a writeup, a second researcher named Matt Nelson, who is well-known for determining privilege escalation susceptibilities under the alias enigma0x3, created proof-of-concept (PoC) code that misuses the fault. He shared the PoC on GitHub.
Nelson’s PoC creates a symlink back to the HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service so that it could transform the executable that is launched when the service is resumed.