TGN reports that some browsers will execute the steam:// protocol without so much as a single prompt to the user. Chrome, IE, and Firefox will all at least provide prompts to the user, with Chrome providing some more detailed information as to what that URL is attempting to do. The problem can also be found in browsers such as Webkit, MaxThon, Avant, and LunaScape. The fact that some browsers will not give enough information is only part of the problem. The big issue here is that the Steam URL can be used to run games with potentially harmful command line parameters.
See, some browsers will execute the steam:// protocol without so much as a single prompt to the user. Chrome, IE, and Firefox will all at least provide prompts to the user, with Chrome providing some more detailed information as to what that URL is attempting to do. The problem can also be found in browsers such as Webkit, MaxThon, Avant, and LunaScape. Keep in mind that Steam's own internal browser utilizes WebKit for its rendering. Other browsers such as Opera, SeaMonkey, PaleMoon, and SRWare Iron do not provide the detailed explanation that Chrome provides to the user but should at least provide some sort of a prompt.
The fact that some browsers will not give enough information is only part of the problem. The big issue here is that the Steam URL can be used to run games with potentially harmful command line parameters. The hardware and security group responsible for discovering this vulnerability, Revuln, went through a variety of tests to show a proof of concept. Keep in mind that this vulnerability is not limited to Valve's own titles.
For games based on the Unreal Engine we opted for exploiting a real security vulnerability that occurs while loading content that resides on remote computers (Windows remote WebDAV or SMB share) which we can load via command-line parameters:
steam://run/ID/server nnHOSTnevil.upk -silent
Indeed this engine is affected by many integer overflow vulnerabilities (maybe we will document them one of these days) that allow execution of malicious code.
Example 2 - APB Reloaded
In this case we decide an arbitrary update server via command-line and exploit a directory traversal for overwriting or creating any file we desire with our custom content.
On Steam there are tons of MMO games free-to-play like APB so the user base is very big and most of them can be exploited with such techniques. Additionally most of these games use anti-cheating solutions and require to be launched with Administrator permissions (we are in the gaming world where people don’t have security knowledge, having such privileges is quite common) so the whole system can be compromised.
Example 3 - Team Fortress 2
Most of them include the basis commands available in the Source engine, which we are going to use for writing files with custom content in arbitrary locations. For exploiting this engine we have opted for the following command-line
options:
+con_logfile, allows you to specify a file that will receive the content of the console (it can’t be a Windows remote share)
+echo, used to put custom data in the log file
+quit, (optional) closes the game
-hijack, (optional) useful in case the user already has an instance of the game running and we want to send additional commands that are limited by the Q_URLDecode 128 chars
Our choice for exploiting this bug is to create a .bat file in the Startup folder of the user account which will execute our commands injected through +echo at the next login of the user on the system. There is also an interesting scenario against dedicated servers by specifying the motd.txt of the game as logfile and launching the cvarlist command that will dump all the game variables in such file that is visible to any player who joins the server.
These are just three basic examples. A more visual proof of concept can be seen in the video below. To protect yourself, be sure not to click on any links you do not trust. Make sure you look at where the URL is pointing to before clicking, even if it looks safe on the outside, keep an eye on where it's really linking to by hovering over the link ahead of time. Another huge security precaution would be to disable the steam:// URL handler within your browser of choice.
Steam Security Vulnerability Found when Using Certain Browsers
