Valve: Steam Deck Single Click Root Remote Code Execution

The version of Chromium Embedded Framework included in the Linux client was susceptible to a v8 exploit that allowed modification of local files. The researcher demonstrated chaining local file modification to a local privilege escalation.

The Steam Deck on latest software is vulnerable to a Remote Code Execution (RCE) vulnerability which can be chained with a privilege escalation vulnerability to provide an attacker full arbitrary root execution access after a user clicks on a link to maliciously crafted webpage in a Steam Chat message. The entire exploit chain can run deterministically after that single click with no further user interaction.

Specifically, the Chromium Embedded Framework (CEF) used in the steamwebhelper is based on Chromium version 85.0.4183.121. This version is vulnerable to CVE-2020-16040. If the steamwebhelper loads a malicious page, this CVE can be exploited to obtain an RCE in the steamwebhelper process.

The steamwebhelper process runs as the user “deck” with the CEF sandbox disabled. This means that immediately after exploitation, the attacker has access to all of the user’s files, because all user content is readable by “deck”. Likely most critically, this includes the Steam Sentry credential file stored at ~/.local/share/Steam/ssfn* that will be present on all Steam Decks and facilitates Steam account takeovers.

From here, we can pivot to obtaining full root access. By default, the deck user has sudoers privileges and no password set. Thus, all we need to do is set a password and then provide that password to the “sudo” binary for a full root shell.

However, the steamwebhelper executes with the “no new privileges” flag set, which prevents us from directly calling sudo from the initial RCE context. This can be easily circumvented by modifying some executable file that the deck user has access to that another process will eventually execute outside of the steamwebhelper process. Given the substantial file access privileges of the deck user (e.g. access to all games, the entire Steam executable, other apps, etc.), there are a variety of options to choose from for this. I verified that at least one such vulnerable site exists to facilitate this privilege escalation by planting a malicious payload in ~/.bashrc, which seems to be executed at least whenever the device reboots. All these steps could be achieved in the shellcode executed from the Chrome RCE.

Once you have achieved persistent root access, you can access all files and peripherals on the device.