Steam client zero-day vulnerability enables arbitrary code to be run with LocalSystem privileges

The vulnerability was reported to Valve Software but was rejected for being 'out of scope'

A security researcher claims to have discovered a new zero-day vulnerability in the Windows client of the popular Steam gaming service.

The vulnerability lies within the Steam Client Service and could enable any user to run arbitrary code with LocalSystem privileges by using only a few commands.

Vasily Kravets, the researcher who first noticed the flaw, says it can be easily exploited by unprivileged users to start/stop the Steam Client Service.

Because the service automatically sets permissions on different registry keys, a malicious user can 'symlink' one of those keys to that belonging to another service. That will make the user able to start/stop that service as well.

According to Kravets, he first reported the flaw to Valve Software, Steam developer, on 15th June via HackerOne. He provided HackerOne with a "text description and a proof-of-concept as an executable file".

The next day, Kravets got a message that the vulnerability reported by him was rejected as out-of-scope due to the reason that "attacks that require the ability to drop files in arbitrary locations on the user's filesystem".

Kravets says he argued his case with HackerOne's security staff, wrote some more comments in his report, and then a second HackerOne member tried to reproduce the exploit.

He confirmed the issue and sent it to the security team at Valve Software.

But on 20^th July, Kravets received another message from a third HackerOne employee stating that the vulnerability reported by him was out-of-scope.

This time, the reasons given for rejection were "Attacks that require the ability to drop files in arbitrary locations on the user's filesystem" and "Attacks that require physical access to the user's device".

After a second rejection, Vasily decided to disclose the vulnerability publicly. He notified HackerOne about it and warned that he'd disclose the flaw after 30th July.

On 2nd August, he received a message from another HackerOne employee, who forbade Vasily from disclosing the vulnerability.

Nevertheless, Vasily finally went public on 7th August, with the hope that it "will bring Steam developers to make some security improvements".

Vasily said that he is very disappointed to see that a big firm like Valve Software - it is the biggest PC games portal by a wide margin - talk big about security, but in reality do very little until forced to do so.

It is worth noting that earlier this year, security researchers reported a vulnerability on the Steam platform that made it possible for threat actors to take over user accounts, steal confidential data, and infect the victim's systems with malware.

Last year, Valve Software paid a $25,000 bug bounty to a hacker for discovering Steam 'free games' exploit that could have been used to generate free game keys.

And in 2011, hackers compromised the systems of Valve Software and stole customer data from the firm's Steam gaming service.