RPV:
Bounty hunter encuentra una vulnerabilidad en Steam que permite escalar privilegios en Windows.
La envía a HackerOne para avisar a Valve y que puedan parchearla antes de publicarla.
HackerOne la rechaza inicialmente, luego la deja pasar para que llegue a Valve y al cabo de unas semanas se rechaza.
El bounty hunter se cabrea y publica los detalles en su blog con varias perlas:
I have been searching for vulnerabilities for a number of years and I thought I have seen a lot, but there is a part of work that I cannot understand and cannot accept. This is the absolute vendors’ unwillingness to accept information about vulnerabilities and problems. I understand that it is very unpleasant when someone directly shows you that you made a mistake and, most likely, not one. It is difficult to confirm in public sources that there were problems, that the staff did something wrong. However, I don’t understand why a vulnerability report rejected.
Well, I want to talk about Steam by Valve Software.
I reported this vulnerability to the Valve via HackerOne.
Here first unexpected obstacle happened – before Valve I had to pass HackerOne’s staff review (because Valve use «Managed by HackerOne» feature on H1). I thought it is easy. How something could went wrong, if I provided a text description and a PoC as an executable file, which spawned an interactive command line console as NT AUTHORITY\SYSTEM? Therefore, I got “not applicable” with cause «Attacks that require the ability to drop files in arbitrary locations on the user's filesystem». I was like “Are you serious? There is no even a single file operation!”.
I wrote some comments and other H1 member tried to reproduce my steps. After some conversations, he confirmed the report and sent it to the Valve security team. Hooray! Mission accomplished. Or not…?
Some weeks later, another (third) H1 member marked report as “N\A”. Now there were two causes: «Attacks that require the ability to drop files in arbitrary locations on the user's filesystem» and «Attacks that require physical access to the user’s device». Here I realized that Valve has no interest in EoP vulnerabilities.
45 days have gone since the initial report, so I want to publicly disclose the vulnerability. I hope this will bring Steam developers to make some security improvements.
I am very disappointed. Big serious company speaks pathos words about security importance and, at the same time, makes your computer defenseless. In fact, Steam allows to grant high privileges for every program you run.
It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges. Are you sure that a free game made of garbage by an unknown developer will behave honestly? Do you believe that for a 90% discount you will not get a hidden miner? Of course, some of the threats will remain even being run without administrator rights. However, the high rights of malicious programs can significantly increase risks - programs could disable antivirus, use deep and dark places to hide and change almost any file of any user, even stole private data.
Due to the popularity of Steam, there is a big amount of potential victims. In 2015, Valve reported that there were 125 million active accounts on Steam. Yes, not all Steam users have Windows as OS, but most of them do. Some users have multiple "live" accounts on single machine, however, the scale of the problem is still impressive.
Oh... What if there is no coincidence and the behavior is insecure by design? What if the Steam is a kind of legal backdoor? It is impossible to convict Valve, but putting all the facts together:
There is the vulnerability, which is easy to exploit and reliable works, providing high rights.
And it seems like not only one, according to this twitter thread https://twitter.com/enigma0x3/status/1148031014171811841.It is easy to find the vulnerability. I am not sure that I'm first who has found it, but the first one who wrote about it.
Valve declined the report about the EoP vulnerability and same ones. Moreover, the scope of incoming reports specially reduced to exclude EoP-reports.
As for me, it looks like Valve wants these EoP vulnerabilities to be present in the software.
It does not look good. I do not recall deleting Steam, but you should be aware and careful with it. Valve do not care about your security, so you are the only one who should be.
This article was ready for publication by July 30 (this date was chosen due to 45 days deadline since initial vulnerability report was sent). So, two weeks after my message, which was sent on July 20, a person appears, who tells me that my report was marked as not applicable, they closed the discussion and wouldn’t offer any explanation to me. Moreover, they didn't want me to disclose the vulnerability. At the same time, there was not even a single word from Valve. No, guys, that's not how it works. You didn’t respect my work, and that's the reason why I won’t respect yours — I see no reason why I shouldn't publish this report. Most likely I’ll be banned at H1 because of it, but it won't make me upset.
Ante gente dudando del exploit, otro bounty hunter publica su proof of concept:
Además explica que ya le había pasado a él lo mismo anteriormente:
Ars Technica se hace eco y explica el proceso para reproducirlo para dummies.
Aparece también en sitios como Hacker News, con usuarios explicando que hay otros fallos similares desde 2015 que no se han corregido.
