back to article Chap uncovers privilege escalation vuln in Steam only to be told by Valve that bug 'not applicable'

A security researcher has disclosed a vulnerability in Valve Corporation's Steam client, used by millions of Windows PC gamers, even though it has not been fixed because his report was rejected as "not applicable". Vasily Kravets' report raises two issues. First, the exploit itself, and second, whether Valve's policy, via its …

  1. sabroni Silver badge

    Running a gaming PC without local admin rights is frustrating

    I don't get this. You should need admin rights to install stuff on Windows but once a game is installed why do you need admin? You should need write permissions to a save file folder in your user directory and read and execute on the game files.

    Valve have been doing this for ages, they should have worked out what permissions are needed when by now. Are they actually Linux Devs slumming it on Windows and refusing to do things the Windows way or just incompetent?

    (This is why i game on console. I have 0 time for anything other than gaming on my gaming machines!)

    1. Captain Scarlet Silver badge
      Trollface

      Re: Running a gaming PC without local admin rights is frustrating

      Its time for an internet argument

      #PCMasterRace - Console users have to pay £10 per game when compared with the PC, this is still completly unacceptable!

      1. Mike Moyle Silver badge
        Trollface

        Re: Running a gaming PC without local admin rights is frustrating

        "Console users have to pay £10 per game when compared with the PC..."

        You're paying for for not having to worry about the privilege-escalation bug -- and I call it a bargain at twice the price!

      2. tfewster Silver badge
        Trollface

        Re: Running a gaming PC without local admin rights is frustrating

        You want an argument?! PC game prices drop 75% after the first 6 months, Console games prices always stay high long after the developers have made their money back!

        (Works great for me, other people can subsidise the Developers and do the beta testing, if a PC game is still popular after 6 months then I'll buy it at the reduced price.)

    2. LDS Silver badge

      Re: Running a gaming PC without local admin rights is frustrating

      You're right. I can think Steam did it because:

      1) Its developers are utterly incompetent and use too broad rights to code what they can't code correctly

      Or

      2) With localsystem privileges is far easier to slurp customers' data

      Anyway, another hint the cloud/subscription model broadens the attack surface - and there are little incentives to code those clients the right way - customers have no choice.

    3. Joe W Silver badge

      Re: Running a gaming PC without local admin rights is frustrating

      Multi user was an afterthought on Windows. This can still be felt in several places...

      1. sabroni Silver badge

        Re: Running a gaming PC without local admin rights is frustrating

        Why does it matter when the security was thought of? It's possible to configure it so it works correctly but doesn't have excessive permissions.

        Sounds a bit like a Linux dev refusing to do things the Windows way to me....

      2. big_D Silver badge

        Re: Running a gaming PC without local admin rights is frustrating

        That was the case with the Windows 3/9x code base, but Windows NT was built with user rights from the ground up.

        Sloppy programming practices and people learning to code on Windows 9x and never learning to do it "properly" resulted in most users having administrator accounts up until XP days. Since then, most programmers have learnt how to code correctly and use access rights.

      3. Roland6 Silver badge

        Re: Running a gaming PC without local admin rights is frustrating

        >Multi user was an afterthought on Windows.

        What is much worse is that many applications still persist in the belief that Windows is only used by a single user, with full admin rights.

        The number of times I've installed software as Admin, logged into a normal user account and discovered either the application isn't accessible or fails to load as it tries to access the admin user's folders as it has hard coded these into its configuration.

        1. Robert Carnegie Silver badge

          Re: Running a gaming PC without local admin rights is frustrating

          This. Run the software installer, at the end it prompts to run the application for you... when I last looked, that's running as administrator.

          1. Roland6 Silver badge

            Re: Running a gaming PC without local admin rights is frustrating

            >This. Run the software installer, at the end it prompts to run the application for you... when I last looked, that's running as administrator.

            Precisely, run the (game) installer from a normal user account, Windows UAC will demand admin, you enter admin password and the dumb game installer will install the game for the sole use of the selected admin user, as once installed try running the application as the (normal) user you are logged in as, who as they don't normally have access permissions for c:\user\administrator\AppData etc...

            Compare to a well written installer and it will either install by default for all users or give you the option of only installing for the current user - for some that really is the current normal user for others it is the admin user account you nominate to satisfy UAC.

    4. Sandtitz Silver badge
      Facepalm

      Re: Running a gaming PC without local admin rights is frustrating

      "Are they actually Linux Devs slumming it on Windows and refusing to do things the Windows way or just incompetent?

      Just incompetent is the correct answer.

    5. veti Silver badge

      Re: Running a gaming PC without local admin rights is frustrating

      Because Valve wants to control your games completely.

      I don't know what sort of games you play, but in mine, it's common for my mod list/order, or other aspects of the config, to change. Personally I manage all that through separate, non-Steam software in the form of mod managers and editors (which do, indeed, bring up a UAC prompt every time something changes); but Valve would dearly love to bring it all in house, and have been making tentative moves in that direction for several years now.

      And to do that, they want the player to be able to mod the game while it is running - which means, no UAC.

    6. eldakka Silver badge

      Re: Running a gaming PC without local admin rights is frustrating

      Valve have been doing this for ages, they should have worked out what permissions are needed when by now.

      My understanding (I may have misunderstood) is that some games developed by 3rd parties need write access on their game installation directories. I believe this is usually for older games, say Leisure Suite Larry or Civilization I/II for example, hopefully no modern games do this (but that's a forlorn hope I expect).

      Therefore to enable these games to run, they decided to handle this in the most lazy brute-force way imaginable, by setting the entire Steam tree as writeable.

      However, surely they could have handled these apps by having the apps installation tree writeable? e.g. (if installed in standard place - doing this from memory as I don't have steam on this computer) \Program Files (x86)\steam\steamapps\common\<app installation>.

      Therefore only those games that need write have only their sub-directory, not the entire steam tree or indeed other apps installed via steam, writeable.

  2. sitta_europea Bronze badge

    I tried talking to hackerone.

    Waste of time.

  3. Chris Clawson

    So... what's the mitigation?

    1. Omgwtfbbqtime Silver badge
      Trollface

      Use the Epic Store?

      1. David Webb

        I heard a rumour, Half Life 3 is going to be a timed exclusive on the Epic Store.

        1. jonathan keith

          You are a bad, bad man.

      2. Ragarath Silver badge

        You can actually use that? I'ts not really a place they thought about anyone actually having a good experience.

        Steam is looking dated but works the Epic shop just makes things unnecessarily hard.

        1. 9Rune5

          the Epic shop just makes things unnecessarily hard.

          I dunno about that. Every week it pops up telling me they have a free game on offer. One click later and it gets added to my library. Problem solved. It was never that easy in other game shops.

    2. fidodogbreath Silver badge

      what's the mitigation?

      Based on their (lack of) response, the mitigation is to uninstall Steam. Obviously that's a crap answer if you have a lot of money tied up in games on their platform.

      If that's not an option, you could dedicate a PC to Steam (and only Steam), VLAN it away from everything else on your network, and back it up frequently to offline storage.

    3. Anonymous Coward
      Anonymous Coward

      Bring out the penguins

      The mitigation is to install Ubuntu*, install Steam on it, and run your games under Linux. With Proton (Wine with some of Valve's own patches) now built in to Steam, a great number of "Windows only" games now run flawlessly under Linux.

      *Other Linuxes are available, and most work with Steam no problem

    4. BinkyTheMagicPaperclip Silver badge

      Use GOG.com, with no DRM.

  4. fidodogbreath Silver badge

    Missed headline opportunity

    Chap taps Steam app vuln gap

    Valve claps back and takes crap rap

    Kudos, though, for the pic of hackerz in suitz instead of hoodiez.

  5. karlkarl Bronze badge

    The only thing I can possibly think of is old Windows 98 games that save their data within their Program Files directory needing admin rights. However DRM crap like Steam ensures that digital preservation is dead on arrival making this an unfortunate non-issue.

    But alas game developers are *not* expert craftsmen, they make little wooden toy trains rather than beautiful ornate furniture.

    The Linux / macOS client does not require admin rights for running games, I guess Windows users are used to this kind of unsecure hackery.

    1. s2bu

      Valve/Steam is weird like that. It's almost like the codebase is majorly different between the 3 platforms. Eg, the macOS version doesn't work on case-sensitive filesystems whereas the Linux one obviously does.

    2. david 12 Bronze badge

      > I guess Windows users are used to this kind of unsecure hackery.<

      Only in cross-platform applications. "Not understanding the security model" seems to be a common problem with cross-platform developers.

      1. dajames Silver badge

        "Not understanding the security model" seems to be a common problem with cross-platform developers.

        Nothing cross-platform about it. "Not understanding the security model" is pretty much par for the course among developers whose main workload is not security-related, regardless of the platform(s) involved.

    3. Dan 55 Silver badge

      DRM is a publisher option on Steam, there are games without it.

    4. 9Rune5

      I have two guesses for why they need admin rights:

      1. DRM code needs admin privs (at least that was the case some years ago). Possibly anti-cheat code also requires deep access to detect various nefarious software trying to help the gamer cheat.

      2. Updates to the VC++ runtime modules and DirectX updates might require admin privs (but I'm fairly certain you can bundle VCRT stuff together with your executable in a place accessible to the user)

      3. There is also the issue of sharing executables. Games are HUGE these days (50GB is "nothing" and it is considered a good thing to put these monsters on SSD units which aren't all that big), plus other users on the same computer are licensed to share games currently installed in your library.

      The third option doesn't necessarily require admin privs, but the effect is the same: Users on the same computer are sharing executables and there is a whole lot of trust involved. (trust which doesn't extend to trusting people not to cheat and similar, but...) They might as well share spit and not wash their hands after using the loo.

      I have spent the last few years trying to package a Windows application in such a way to make it palpable to admins everywhere, so I find these types of problems interesting. Yes, the app we deliver; we could install everything into each user's home folder, but there are issues with that too. Not all admins will let users download updates behind their backs. And those guys are also too lazy to update our software more frequently than say once per year... I have failed to come up with an answer, other than: Go all in on the web thing. Which usually implies javascript, which in turn... Well. We're fscked.

      My conclusion is that the end users want to run every executable he/she can dig up (anonymous usb-key found in the parking lot? Go for it!), whereas the typical admin type wants the user to pack up her/his things and go home (and never return). I believe it was the great BOFH who remarked that the perfectly running network requires the absence of all users.

      Very disappointing response from Valve however.

  6. Henry Wertz 1 Gold badge

    forbid? right

    Forbid? Right. If hackerone is not paying up, they have no say about disclosure. He gave 'em 45 days. Screw them, disclose away!

    1. James 139

      Re: forbid? right

      Not entirely sure what they could do to forbid it anyway, stop him submitting any more vulnerabilities, so he just discloses them immediately?

  7. Anonymous Coward
    Anonymous Coward

    Ugh windows is just insane

    I mean it, stuff like this.. like.. wtf? why in order to keep a userland app updated does there need to be some kind of service running with root privileges? That just trusts a world-writable object to tell it what to run?

    Like.. just.. make a 'steam' user and group. Install your steam shit and keep it updated in /opt/steam or /home/steam or wtf just don't do what windows does :V

  8. Maelstorm
    Big Brother

    I have a game...

    I have a game called Aion which seems to require admin rights to even start the launcher. What's funny though is that I start it from a batch file and specifically state that it does not have admin rights and it runs just fine. It looks like the manifest in the executable specifies admin rights, but nothing uses it. Other games such as the Blizzard variety are quite happy with restricted user rights. Game developers who require admin rights for their games are either sloppy, lazy, or incompetent. I have written games and under no situation have I ever needed admin rights. It's a game, not a utility. The only reason why I can see that a game requires admin rights is that the game is actually a trojan horse and is stealing your data.

  9. Anonymous Coward
    Anonymous Coward

    Heh, Steam client update today...

    I see this in the changelog:

    "Steam Windows Service

    Fixed privilege escalation exploit using symbolic links in Windows registry"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019