• [FIXED] Possible Security Vulnerability Documented In Steam When Using Certain Internet Browsers

    Discussion in 'News' started by ríomhaire, Oct 16, 2012.

    Revuln, a software and hardware security company, has published a report and video proof-of-concept detailing security vulnerabilities of Steam. The vulnerabilities centre around Steam browser protocol commands. Like the normal http:// commands that tell your browser to load a website the steam:// protocols tell Steam to execute various functions. This allows users to, for example, download and install demos by clicking links on the Steam store page in their browsers. For instance copying the following command into your address bar and hitting enter should, assuming you have Steam installed, download and run Team Fortress 2: steam://run/440

    The first part of this vulnerability comes from the fact that some browsers, such as Safari, will execute these commands automatically upon receiving them without informing the user any action has been taken. Chrome is the most secure browser with a detailed warning including the full URL and the program to be called. Internet Explorer will display a warning and the URL and Firefox will simply ask for confirmation without warnings or details. Lesser used browsers that also execute without warning are Webkit, MaxThon, Avant and Lunascape. The browser used in Steam's in-game overlay completely ignores steam:// commands and as such is not vulnerable to this method at all.

    The second part of this vulnerability is the ability for a steam:// link to run a game with command line parameters, allowing the attacker to use vulnerabilities in Steam games themselves. One of the methods shown is to run Team Fortress 2 and have it create a .bat file in the user's Startup folder. This will cause the user's PC to execute any commands the attacker likes upon the next PC startup. Another possible vulnerability documented is related to the free-to-play game All Points Bulletin: Reloaded. The game features a customizable auto-update feature and it is possible to command it to connect to a server of the attacker's choosing where it will download whatever files it is given.

    You can read the report in its entirety here and watch the video demonstration here. If you are worried about these vulnerabilities you can minimize any risk by making sure your browser does not execute Steam protocol commands automatically. If entering steam://run/440 into your address bar causes Steam to launch or run Team Fortress 2 then without a prompt then you are vulnerable.

    If you are using Firefox or Chrome this means that you have previously told your browser to automatically run Steam commands. To remove this setting in Firefox press Alt, then go to Tools->Options->Applications, find Steam on the list of applications and change its action to always ask. To remove this setting from Chrome go to "C:\Users\<username>\AppData\Local\Google\Chrome\User Data" on your PC, open the "Local State" file in Notepad, search its contents for "steam" and change it's value to true.

    ---Update---
    In a Team Fortress 2 patch on October 17th, Valve updated the "con_logfile" for modern Source engine games including TF2, Day of Defeat: Source, Half-Life 2: Deathmatch and Garry's Mod.. Updating this file has removed the exploit outlined by ReVuln in their report. We imagine the rest of Valve's games will receive a similar update sometime soon, if they haven't already.
    Categories:

Comments

Discussion in 'News' started by ríomhaire, Oct 16, 2012.

  1. Spiderm4N
    the only "vulnerability" that I saw is safari executing without saying anything, the rest is just dumb user being dumb
  2. ríomhaire
    I'm sure someone can come up with a less childish way to use this but off the top of my head: Someone could put a button on their website that says "click here to join our server directly" which will launch TF2 on the user's PC and send them to a server, that way it doesn't look suspicious. It can also then tell TF2 to write a .bat file that deletes the system32 folder and put that file in Startup. Next time that user restarts their PC it will completely break Windows. These commands can also be sent just from you navigating to a website, so you don't even have to voluntarily click it. If you use a browser who's default behaviour is to launch it without asking (Safari) or you have previously told Chrome or Firefox to automatically associate steam:// links with Steam (which I had when I used one of the commands to install Codename: Gordon as it is the only way to install that game any more) then it can do all this just from you ending up on a website that is dodgy or has been hacked.

    I'm not expecting a massive wave of hackers to be using this and we shouldn't all be panicking, but it there's a known exploit and it can be avoided it's just sensible to take the steps to avoid it.
  3. Barnz
    Hey, I know you. You spammed hl2world's image gallery with Garry's Mod porn poses years ago.
  4. Spiderm4N
    most of it wasn't porn :<
    good times