Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneHydraskyteamH1:852091
HistoryApr 17, 2020 - 9:23 a.m.

Valve: Privilege Escalation vulnerability in steam's Remote Play feature leads to arbitrary kernel-mode driver installation

2020-04-1709:23:34
hydraskyteam
hackerone.com
30
JSON

Tested on Windows 10 x64

  • On Steam starting, it will check all installed files’ Integrity, and re-download the modified file(s). This step makes every single file in Steam installation folder is exactly its original self.
  • Before the first time Steam stream to SteamLink (Remote Play feature), it makes SteamServices to install 2 kernel-mode drivers: SteamStreamingMicrophone and SteamStreamingSpeakers in C:\Program Files (x86)\Steam\drivers\Windows10\x64.

{F792262}

  • From 2 points above, we can assume that if SteamStreamingMicrophone or SteamStreamingSpeakers was modified after steam starting and before being installed (the first time streaming), the “modified” driver will be installed instead of the original one. This means an arbitrary kernel-mode driver can be installed from Steam.
  • SteamStreamingMicrophone.sys and SteamStreamingSpeakers.sys ██████

My fake driver: {F792263}

PoC Video: {F792325}

Impact

Installing kernel-mode driver, which can lead to run code in kernel-mode,…

JSON