Manipulated image shows cockroaches on shattered logo for streaming site Steam.

Enlarge / Breaking bugs are as described—a security flaw in Steam's client service allows easy execution of arbitrary code as LOCALSYSTEM. (credit: Aurich Lawson / Getty Images)

Earlier today, disgruntled security researcher Vasily Kravets released a zero-day vulnerability in the Windows version of the ubiquitous gaming service Steam. The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.

The vulnerability lies within Steam Client Service. The service may be started or stopped by unprivileged users. This becomes a problem because, when run,Steam Client Service automatically sets permissions on a range of registry keys. If a mischievous—or outright malicious—user were to symlink one of these keys to that belonging to another service, it becomes possible for arbitrary users to start or stop that service as well. This becomes even more problematic when you realize that it's possible to pass arguments to services that run under extremely privileged accounts—such as msiserver, the Windows Installer service.

Following a <a href="https://www.reddit.com/r/Steam/comments/cn3303/steam_windows_client_local_privilege_escalation/ew6z042/">demonstration</a> I saw from Redditor /u/R_Sholes today, I used an unprivileged user account to write a file to C:\Windows\System32 as LOCALSYSTEM. That's game over, for those of you playing along from home.

Following a demonstration I saw from Redditor /u/R_Sholes today, I used an unprivileged user account to write a file to C:\Windows\System32 as LOCALSYSTEM. That's game over, for those of you playing along from home. (credit: Jim Salter)

The image walkthrough above follows a few simple steps:

Read 9 remaining paragraphs | Comments

Top