Steam v.54/894 Local Privilege Escalation Vulnerability

ID SSV:12004
Type seebug
Reporter Root
Modified 2009-08-09T00:00:00


No description provided by source.

                                                Steam (Multiple .exe's) Local Privilage Escalation


Version Info:
 Steam windows client
 Built: Jun 30 2009, at 13:29:32
 Steam API: v008
 Steam Package versions: 54/894

 Slappywag, Doomchip, Bolo, Eliwood, and the rest.

Special Thanks:
 Jeremy Brown and Nine:Situations:Group...
 Their work led me to this.


The latest Steam client, (and other Steam related executables)
suffer the same privilage escelation issue we saw in Adobe Acrobat NOS
the other day (  This is particularly
bad becuase, by default, Steam starts atomaticly.  That means that as
soon as an administrator logs in... game over.



C:\>cacls "C:\Program Files\Steam\Steam.exe"
C:\Program Files\Steam\Steam.exe BUILTIN\Users:F  <-- (Danger Will Robinson!!)
                                 BUILTIN\Power Users:C
                                 NT AUTHORITY\SYSTEM:F

The executables listed below are also vulnerable, as well as many, MANY
more that I have not mentioned.  See for yourself.


--The following are dependant on what games are installed.

%programfiles%\Steam\common\left 4 dead\left4dead.exe
%programfiles%\Steam\steamapps\[username]\counter-strike source\hl2.exe
%programfiles%\Steam\steamapps\[username]\half-life 2\hl2.exe


There are probably 100 more, just look around.  I am yet to see an
executable in the Steam directory with propor permissions.



So simple... write it yourself you silly goose :3