ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Sun Jun 25, 2017 1:53 am

All times are UTC




Post new topic  Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Steam Service Security
PostPosted: Tue Aug 05, 2014 6:01 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6163
Something different than the usual remote vulnerabilities I report, this time it's a local design issue that allows to execute code as SYSTEM (a sort of Administrator) through the Steam Client Service.

Status: still vulnerable as far as I know.

Full details here:
http://revuln.com/files/ReVuln_Steam_Se ... curity.pdf

What I think is particularly interesting of that paper is the tool I released and the information about the IPC interface of the service.

The following are the methods that can be called:
Code:
IClientInstallUtils::SetUniverse
IClientInstallUtils::AddShortcut
IClientInstallUtils::RemoveShortcut
IClientInstallUtils::RemoveFromGameExplorer
IClientInstallUtils::AddRichSavedGames
IClientInstallUtils::RemoveRichSavedGames
IClientInstallUtils::AddToMediaCenter
IClientInstallUtils::RemoveFromMediaCenter
IClientInstallUtils::AddUninstallEntry
IClientInstallUtils::RemoveUninstallEntry
IClientInstallUtils::AddToFirewall
IClientInstallUtils::RemoveFromFirewall
IClientInstallUtils::RegisterSteamProtocolHandler
IClientInstallUtils::FixupSteamClientShortcuts
IClientInstallUtils::RunInstallScript
IClientInstallUtils::AddInstallScriptToWhiteList
IClientInstallUtils::GetInstallScriptExitCode
IClientModuleManager::LoadModule
IClientModuleManager::UnloadModule
IClientModuleManager::CallFunctionAsync
IClientModuleManager::CallFunction
IClientModuleManager::PollResponseAsync
IClientProcessMonitor::RegisterProcess
IClientProcessMonitor::UnregisterProcess
IClientProcessMonitor::TerminateProcess
IRegistryInterface::BGetValueUint
IRegistryInterface::BSetValueBin
IRegistryInterface::BDeleteValue
IRegistryInterface::BDeleteKey
IRegistryInterface::BKeyExists
IRegistryInterface::BSetValueStr
IRegistryInterface::BSetValueUint
IRegistryInterface::BGetSubKeys
IRegistryInterface::BGetValues
IRegistryInterface::BEnumerateKey
IRegistryInterface::BGetValueStr
IRegistryInterface::BGetValueBin
IRegistryInterface::BenumerateValue

The tool contains all the arguments and is well made, except for the "exit" part because the service remain freezed and you must kill it manually (as SYSTEM obviously)... yeah that part needed more work so feel free to have fun with it.

Link:
http://aluigi.org/poc/steam_service_poc.zip


Top
   
PostPosted: Mon Jan 26, 2015 7:32 am 

Joined: Sun Aug 10, 2014 12:49 pm
Posts: 240
means you can play even if you got VAC ? Is there any way ? it is very interestin i guess, i dont really need this but it could be usefull :D


Top
   
PostPosted: Mon Jan 26, 2015 8:21 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6163
As far as I know VAC is checked server-side so you can do nothing for a banned account (the server probably asks Valve if the account is banned and, if yes, kicks you out).
But if you talk about preventing VAC to ban your account when it's still "clean"... maybe :)


Top
   
PostPosted: Mon Jan 26, 2015 9:38 am 

Joined: Sun Aug 10, 2014 12:49 pm
Posts: 240
aluigi wrote:
As far as I know VAC is checked server-side so you can do nothing for a banned account (the server probably asks Valve if the account is banned and, if yes, kicks you out).
But if you talk about preventing VAC to ban your account when it's still "clean"... maybe :)



Yeah this could be very interesting :D Any additional info pls?


Top
   
PostPosted: Tue Jan 27, 2015 9:33 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6163
Unfortunately no. The only things I checked are those that I published.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 5 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited