Abusing Steam for privileged code execution
Product: Steam Client Software
Version: Build Jun 3 2020
Tested on: Windows 10 Pro 2004 x64
Vendor informed: Yes
PoC: This blog post
CVE: requested
I like computer games, especially the old ones. During these permanent home-office days I played a few of the classic ones like "Shadow Warrior" or "Star Gunner". However while installing a game via Steam I thought I can take a quick look at the steam client software for Windows. A first google search revealed a CVE entry from 2015 (CVE-2015-7985) which describes that the steam client can be replaced by a malicious one and when an administrator launches it or runs it via autostart the malicious steam.exe will be executed...wow I didn´t know that ;)
Well 5 years later we have Windows 10 with a default deactivated Administrator account (for reasons) and I personally think that running an executable as admin is not really worth a CVE entry but who am I to judge...
During the installation of one of my games I figured out that the steam installation folder (C:\Program Files (x86)\Steam) is in fact writable for regular users. But also steam runs in a regular user context (medium integrity). So on a first view there is no easy to way to exploit...But only on a first view ;)
What we have at this point is
- Steam is executed in a regular user context
- Also games are installed this way
- The complete steam folder can be modified by users
While looking at the steam folder I noticed that only one executable in this folder requires elevated (admin) rights; the uninstaller
This is the uninstaller which will be executed when steam gets removed via the control panel item "Programs and Features" and (you already guessed it) it will also be executed in an elevated context. Great but the steam uninstaller is code-signed and running a replaced version will provide users with a suspicious UAC prompt. At least this is what I thought...
- Delete the original steam.exe and replace it by a broken one or break steam in a way you like. I replaced steam.exe with an old DOS file and when a user opens "steam" or just clicks on the shortcuts on his desktop/startmenu it will look like this
- After that: Replace the steam uninstaller ("C:\Program Files (x86)\Steam\uninstall.exe") with a malicious one
- When a user tries to uninstall the broken steam installation there are two options:
1. User executes the malicious uninstall.exe but will receive a suspicious UAC prompt (not really good)
2. But if the user removes the application via "Programs and Features" the magic happens and we have nice regular Microsoft signed UAC prompt asking the user to uninstall our broken steam installation:
This will run our replaced uninstall.exe in an elevated context:
Note:
- CVE-2015-7985 is also important: If you remove a steam installed game via "Programs and Features" steam.exe will be executed in an elevated context
- It took more time to write this article than finding the bug...
Conclusion: Using "Programs and Features" to remove steam or even steam games is unsecure and can be abused to trick users with a "clean" UAC prompt in running malicious files. This can be easily mitigated as described 5 years ago: Valve, please use file permissions!
