Steam v.54/894 Local Privilege Escalation Vulnerability

ID 1337DAY-ID-8052
Type zdt
Reporter MrDoug
Modified 2009-08-07T00:00:00


Exploit for unknown platform in category local exploits

Steam v.54/894 Local Privilege Escalation Vulnerability

Steam (Multiple .exe's) Local Privilage Escalation


Version Info:
 Steam windows client
 Built: Jun 30 2009, at 13:29:32
 Steam API: v008
 Steam Package versions: 54/894

 Slappywag, Doomchip, Bolo, Eliwood, and the rest.

Special Thanks:
 Jeremy Brown and Nine:Situations:Group...
 Their work led me to this.


The latest Steam client, (and other Steam related executables)
suffer the same privilage escelation issue we saw in Adobe Acrobat NOS
the other day (  This is particularly
bad becuase, by default, Steam starts atomaticly.  That means that as
soon as an administrator logs in... game over.



C:\>cacls "C:\Program Files\Steam\Steam.exe"
C:\Program Files\Steam\Steam.exe BUILTIN\Users:F  <-- (Danger Will Robinson!!)
                                 BUILTIN\Power Users:C
                                 NT AUTHORITY\SYSTEM:F

The executables listed below are also vulnerable, as well as many, MANY
more that I have not mentioned.  See for yourself.


--The following are dependant on what games are installed.

%programfiles%\Steam\common\left 4 dead\left4dead.exe
%programfiles%\Steam\steamapps\[username]\counter-strike source\hl2.exe
%programfiles%\Steam\steamapps\[username]\half-life 2\hl2.exe


There are probably 100 more, just look around.  I am yet to see an
executable in the Steam directory with propor permissions.



So simple... write it yourself you silly goose :3

# [2018-02-06]  #