Valve: Privilege Escalation vulnerability in steam's Remote Play feature leads to arbitrary kernel-mode driver installation

2020-04-17T09:23:34
ID H1:852091
Type hackerone
Reporter hydraskyteam
Modified 2021-09-21T21:55:52

Description

Tested on Windows 10 x64

  • On Steam starting, it will check all installed files' Integrity, and re-download the modified file(s). This step makes every single file in Steam installation folder is exactly its original self.
  • Before the first time Steam stream to SteamLink (Remote Play feature), it makes SteamServices to install 2 kernel-mode drivers: SteamStreamingMicrophone and SteamStreamingSpeakers in C:\Program Files (x86)\Steam\drivers\Windows10\x64.

{F792262}

  • From 2 points above, we can assume that if SteamStreamingMicrophone or SteamStreamingSpeakers was modified after steam starting and before being installed (the first time streaming), the "modified" driver will be installed instead of the original one. This means an arbitrary kernel-mode driver can be installed from Steam.
  • SteamStreamingMicrophone.sys and SteamStreamingSpeakers.sys ██████

My fake driver: {F792263}

PoC Video: {F792325}

Impact

Installing kernel-mode driver, which can lead to run code in kernel-mode,...