Disgruntled bug-hunter drops Steam zero-day to get back at Valve for refusing him a bounty
EoP bug now free for the world to see after bounty was rejected
A security bod angry at Valve's handling of bug reports has disclosed a zero-day vulnerability affecting the games giant's flagship Steam app.
Russia-based bug-hunter Vasily Kravets said that he was releasing details of the flaw, an elevation-of-privilege hole, after a series of poor interactions with Valve led to him getting banned from Valve's bug bounty program, run by HackerOne.
The way Kravets tells it – Valve did not respond to a request for comment – the whole saga started earlier this month when he went to report a separate elevation-of-privilege flaw in Steam Client, the software players use to purchase and run titles from Valve's platform.
Valve declined to recognize and pay out a reward for that particular security hole, which it said required local access and the ability to drop files on the target machine, and was therefore, in Valve's eyes, not really a vulnerability. Kravets was eventually banned from Valve's program on HackerOne.
"I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence," Kravets said. "Eventually things escalated with Valve and I got banned by them on HackerOne – I can no longer participate in their vulnerability rejection program (the rest of H1 is still available though)."
Now, some two weeks later, Kravets has discovered and disclosed a second elevation-of-privilege flaw in Steam. Like the first, this hole – a .DLL loading vulnerability – would require an attacker to have access to the target's machine in some way, and the ability to write files locally.
Get rekt: Two years in clink for game-busting DDoS brat DerpTrollingREAD MORE
If those requirements are met, Kravets said, the miscreant could get the Steam app to load and execute malicious DLL files, potentially giving an even greater control over the system and allowing the hacker to further download and install all sorts of malware on the target PC. Depending on the games installed, Steam may have to run with administrator privileges, so getting code execution within it could allow an intruder to do a lot of damage.
While neither flaw would be considered a "critical" risk as they each require the attacker to already have access to the target machine (if that's the case you're already in serious trouble, so what's another flaw), Kravets argues that since it is a marketplace for third-party code, Steam in particular would be an attractive target with an elevated risk from EoP flaws.
"It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges," the bug-hunter notes. "Are you sure that a free game made of garbage by an unknown developer will behave honestly?" ®