It is reported that the privilege upgrade vulnerability is an error operation procedure in the application, which enables users with limited privileges to use the privilege upgrade or administrative privileges to start executable files.
Considering that the Steam platform has more than 100 million registered users and millions of potential registered users, it is a serious risk that it may be abused by malware to perform unnecessary activities.
At startup, the service starts its executable file on Windows with SYSTEM privileges, he said. Researchers also noticed that the service could be started and stopped by the user group, which is almost always the person who logs on to the computer.
Researchers also found that when the service starts and stops, it provides the user group with full write access to subitems under the HKLM Software Wow32Node Valve Steam Apps registry.
Initially, the registry entry for this service could not be written by the User group, so it could not be modified to start other executable files and elevate its privileges to administrators. But after further research, Felix found a way to elevate ordinary user privileges to the highest administrative privileges by unconventional means:
I created the test key HKLM Software Wow32Node Valve Steam Apps test, restarted the service (Procmon log above), and checked the registry key permissions. Here I find that HKLM SOFTWARE Wow32Node Valve Steam has explicit full control rights over the user group, which will inherit all subkey functions.
Assuming that RegSetKeySecurity sets the same permissions, some interesting things happen if there are symbolic links. I created a link from HKLM SOFTWARE wow32 node Valve Steam Apps test to HKLM SOFTWARE test2 and restarted the service.
Thereafter, Felix tried to link from these sub-key functions to another sub-key function that he did not have sufficient privileges. After restarting the service, he found that the key could also be changed.
Researchers realized that any registry key could be modified by creating a symbolic link from a subkey under HKLM Software Wow32Node Valve Steam Apps to a secure registry key and then restarting the service.
Based on the above principles, this privilege escalation vulnerability can allow modification of services with system privileges, thus starting different programs with higher privileges.
After Felix disclosed the vulnerability, Matt Nelson, another researcher, discovered the vulnerability of privilege escalation under enigma 0x3 alias. He shared a PoC script on GitHub that abused the vulnerability.
Nelsons POC creates a symbolic link to the HKLM: SYSTEM CurrentControlSet Services Steam client service so that it can change the executable that is started when the service is restarted.
Nelson and Felix both reported to Vavle the first time they found the problem, but neither received an official response to fix the bug and refused to give them a reward.
Source of this article: Lei Fengs responsible editor: Wang Fengzhi_NT2541