6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.301 Low
EPSS
Percentile
96.3%
The version of Chromium Embedded Framework included in the Linux client was susceptible to a v8 exploit that allowed modification of local files. The researcher demonstrated chaining local file modification to a local privilege escalation.
The Steam Deck on latest software is vulnerable to a Remote Code Execution (RCE) vulnerability which can be chained with a privilege escalation vulnerability to provide an attacker full arbitrary root execution access after a user clicks on a link to maliciously crafted webpage in a Steam Chat message. The entire exploit chain can run deterministically after that single click with no further user interaction.
Specifically, the Chromium Embedded Framework (CEF) used in the steamwebhelper is based on Chromium version 85.0.4183.121. This version is vulnerable to CVE-2020-16040. If the steamwebhelper loads a malicious page, this CVE can be exploited to obtain an RCE in the steamwebhelper process.
The steamwebhelper process runs as the user โdeckโ with the CEF sandbox disabled. This means that immediately after exploitation, the attacker has access to all of the userโs files, because all user content is readable by โdeckโ. Likely most critically, this includes the Steam Sentry credential file stored at ~/.local/share/Steam/ssfn* that will be present on all Steam Decks and facilitates Steam account takeovers.
From here, we can pivot to obtaining full root access. By default, the deck user has sudoers privileges and no password set. Thus, all we need to do is set a password and then provide that password to the โsudoโ binary for a full root shell.
However, the steamwebhelper executes with the โno new privilegesโ flag set, which prevents us from directly calling sudo
from the initial RCE context. This can be easily circumvented by modifying some executable file that the deck user has access to that another process will eventually execute outside of the steamwebhelper process. Given the substantial file access privileges of the deck user (e.g. access to all games, the entire Steam executable, other apps, etc.), there are a variety of options to choose from for this. I verified that at least one such vulnerable site exists to facilitate this privilege escalation by planting a malicious payload in ~/.bashrc
, which seems to be executed at least whenever the device reboots. All these steps could be achieved in the shellcode executed from the Chrome RCE.
Once you have achieved persistent root access, you can access all files and peripherals on the device.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.301 Low
EPSS
Percentile
96.3%