Steam v.54/894 Local Privilege Escalation Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Steam v.54/894 Local Privilege Escalation Vulnerability
# Published : 2009-08-07
# Author : MrDoug
# Previous Title : Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH) #2
# Next Title : JetAudio 7.1.9.4030 Universal Stack Overflow Exploit (SEH)

Steam (Multiple .exe's) Local Privilage Escalation

By:
 MrDoug
 mrdoug13[at]gmail[dot]com

Version Info:
 Steam windows client
 Built: Jun 30 2009, at 13:29:32
 Steam API: v008
 Steam Package versions: 54/894

Greetz:
 Slappywag, Doomchip, Bolo, Eliwood, and the rest.

Special Thanks:
 Jeremy Brown and Nine:Situations:Group...
 Their work led me to this.

==================================================

The latest Steam client, (and other Steam related executables)
suffer the same privilage escelation issue we saw in Adobe Acrobat NOS
the other day (http://milw0rm.com/exploits/9199).  This is particularly
bad becuase, by default, Steam starts atomaticly.  That means that as
soon as an administrator logs in... game over.

==================================================

POC:

C:>cacls "C:Program FilesSteamSteam.exe"
C:Program FilesSteamSteam.exe BUILTINUsers:F  <-- (Danger Will Robinson!!)
                                 BUILTINPower Users:C
                                 BUILTINAdministrators:F
                                 NT AUTHORITYSYSTEM:F

The executables listed below are also vulnerable, as well as many, MANY
more that I have not mentioned.  See for yourself.

%programfiles%Steamuninstall_css.exe
%programfiles%SteamUnwise32.exe
%programfiles%SteamGameOverlayUI.exe
%programfiles%Steamuninstall_steam.exe
%programfiles%SteamWriteMiniDump.exe
%programfiles%SteambinSteamService.exe

--The following are dependant on what games are installed.

%programfiles%SteamcommonaudiosurfAudiosurf.exe
%programfiles%Steamcommonaudiosurftestapp.exe
%programfiles%SteamcommonaudiosurfengineQuestViewer.exe
%programfiles%Steamcommonleft 4 deadleft4dead.exe
%programfiles%Steamsteamapps[username]counter-strike sourcehl2.exe
%programfiles%Steamsteamapps[username]half-life 2hl2.exe
%programfiles%Steamsteamapps[username]garrysmodhl2.exe

...etc...etc...etc...

There are probably 100 more, just look around.  I am yet to see an
executable in the Steam directory with propor permissions.

==================================================

Exploit:

So simple... write it yourself you silly goose :3

# www.Syue.com [2009-08-07]