Possible security vulnerability documented in Steam when using certain internet browsers - Polidicks

[QUOTE][URL="http://revuln.com/"]Revuln[/URL], a software and hardware security company, has published a [URL="http://www.valvetime.net/attachments/revuln_steam_browser_protocol_insecurity-pdf.23797/?temp_hash=11267760f2c7fbf231e28abe14e9b1b6"]report[/URL] and [URL="http://vimeo.com/51438866"]video proof-of-concept[/URL] detailing security vulnerabilities of Steam. The vulnerabilities centre around Steam browser protocol commands. Like the normal http:// commands that tell your browser to load a website the steam:// protocols tell Steam to execute various functions. This allows users to, for example, download and install demos by clicking links on the Steam store page in their browsers. For instance copying the following command into your address bar and hitting enter should, assuming you have Steam installed, download and run Team Fortress 2:[I]steam://run/440[/I] The first part of this vulnerability comes from the fact that some browsers, such as Safari, will execute these commands automatically upon receiving them without informing the user any action has been taken. Chrome is the most secure browser with a detailed warning including the full URL and the program to be called. Internet Explorer will display a warning and the URL and Firefox will simply ask for confirmation without warnings or details. Lesser used browsers that also execute without warning are Webkit, MaxThon, Avant and Lunascape. The browser used in Steam's in-game overlay completely ignores steam:// commands and as such is not vulnerable to this method at all. The second part of this vulnerability is the ability for a steam:// link to run a game with command line parameters, allowing the attacker to use vulnerabilities in Steam games themselves. One of the methods shown is to run Team Fortress 2 and have it create a .bat file in the user's Startup folder. This will cause the user's PC to execute any commands the attacker likes upon the next PC startup. Another possible vulnerability documented is related to the free-to-play game All Points Bulletin: Reloaded. The game features a customizable auto-update feature and it is possible to command it to connect to a server of the attacker's choosing where it will download whatever files it is given. You can read the report in its entirety [URL="http://www.valvetime.net/attachments/revuln_steam_browser_protocol_insecurity-pdf.23797/?temp_hash=11267760f2c7fbf231e28abe14e9b1b6"]here[/URL] and watch the video demonstration [URL="http://vimeo.com/51438866"]here[/URL]. If you are worried about these vulnerabilities you can minimize any risk by using[URL="https://www.google.com/chrome/"] Google Chrome[/URL] as your browser and not allowing it to execute any Steam browser protocol commands that you did not intentionally run. [/QUOTE] [URL]http://www.valvetime.net/threads/possible-security-vulnerability-documented-in-steam-when-using-certain-internet-browsers.231713/[/URL]

" For instance copying the following command into your address bar and hitting enter should, assuming you have Steam installed, download and run Team Fortress 2:steam://run/440" So, whats the issue exactly? " One of the methods shown is to run Team Fortress 2 and have it create a .bat file in the user's Startup folder. This will cause the user's PC to execute any commands the attacker likes upon the next PC startup. " Fixit Fixit Fixit Fixit Fixit Fixit!

[QUOTE]For instance copying the following command into your address bar and hitting enter should, assuming you have Steam installed, download and run Team Fortress 2: steam://run/440 [/QUOTE] shit just got real call the cops, call the fbi, we need everyone on this right now

[quote]Team Fortress 2 and have it create a .bat file in the user's Startup folder. This will cause the user's PC to execute any commands the attacker likes upon the next PC startup[/quote] Why would any game [I]EVER[/I] be given the capabilities to do something like this? What have you done, Valve? [quote]Another possible vulnerability documented is related to the free-to-play game All Points Bulletin: Reloaded. The game features a customizable auto-update feature and it is possible to command it to connect to a server of the attacker's choosing where it will download whatever files it is given[/quote] No kind of verification that the server it's pointed to is actually run by the game's maker? Bad, bad, BAD. Jesus, what happened to security?

Everyone Panic!

So basically if you're using Safari someone could delete your system32 folder using a link that launches tf2 wow nice

Is it applicable to other O.Ses that aren't Windows?

Alternatively, use a bit of common sense and don't click links that reference steam:// ?

[QUOTE=Ereunity;38062073]Alternatively, use a bit of common sense and don't click links that reference steam:// ?[/QUOTE] [url=steam://run/440]http://facepunch.com[/url]

[QUOTE=Ereunity;38062073]Alternatively, use a bit of common sense and don't click links that reference steam:// ?[/QUOTE] Ideally yes; I never do anything like that, thus i'm safe in theory. Regardless this is something that should be fixed; security vulnerabilities are serious business at the best of times.

[QUOTE=geel9;38062092][url=steam://run/440]http://facepunch.com[/url][/QUOTE] Smart :v: I knew you were tricking me but it ran steam Sandboxied chrome so it ran steam in a sandbox :v:

[QUOTE=geel9;38062092][url=steam://run/440]http://facepunch.com[/url][/QUOTE] Wasn't hard to mouse over and read the link in the bottom of my browser saying "steam://run/440". IE shows it too.

I have been using these links for years and find them pretty useful

Reminds me of the avatar glitch a while ago. Just a tad worse.

You can also do this to have other people change their avatar among other things [editline]16th October 2012[/editline] dammit

[QUOTE=Ereunity;38062135]Wasn't hard to mouse over and read the link in the bottom of my browser saying "steam://run/440". IE shows it too.[/QUOTE] if you check every single link manually you'd be paranoid however of course, sandboxing it fixes EVERYTHING.

[QUOTE=Ereunity;38062135]Wasn't hard to mouse over and read the link in the bottom of my browser saying "steam://run/440". IE shows it too.[/QUOTE] Well obviously in this context you knew it'd be a trick Do you check every link that's shown in http:// format?

the avatar thing also worked in [img] tags so common sense can't help you there

unless theres a steam://emailpasswordto/russianhacker@hacks.ru command its not a vulnerability

The issue is less that games can be run through the browser, which many legitimate sites such as tf2lobby use. The primary issue is that because it can launch games with command line parameters (Which I assume is necessary to make it connect to specific servers and the like) they can make the games do things that they probably shouldn't be able to. Saying "don't click steam protocol links" is not a solution for obvious reasons.

[quote]Another possible vulnerability documented is related to the free-to-play game All Points Bulletin: Reloaded. The game features a customizable auto-update feature and it is possible to command it to connect to a server of the attacker's choosing where it will download whatever files it is given.[/quote] I'd say that's an issue with APB and not Steam itself. Since it would work outside of Steam too and it's pretty much the APB devs responsibility to make sure their shit is safe.

[QUOTE=raviool;38062263]unless theres a steam://emailpasswordto/russianhacker@hacks.ru command its not a vulnerability[/QUOTE] Right, because a bug that lets games create batch files that can do anything from shutting your computer down to trashing your registry is TOTALLY not a vulnerability.

[QUOTE=Fear_Fox;38062317]I'd say that's an issue with APB and not Steam itself. Since it would work outside of Steam too and it's pretty much the APB devs responsibility to make sure their shit is safe.[/QUOTE] There goes my rig

[QUOTE=Forumaster;38062332]Right, because a bug that lets games create batch files that can do anything from shutting your computer down to trashing your registry is TOTALLY not a vulnerability.[/QUOTE] Uh, it shouldn't be able to do anything serious without administrator privileges.

Which most people, especially gamers, have on their own machines. Gamers also tend to turn UAC off because it likes to fuck with certain games, so the command prompt runs with admin rights.

[QUOTE=geel9;38062197]Well obviously in this context you knew it'd be a trick Do you check every link that's shown in http:// format?[/QUOTE] Don't have to. [img]http://u.cubeupload.com/Paramud/8ZQaTp.png[/img] Opera master race.

[QUOTE=Paramud;38062596]Don't have to. [img]http://u.cubeupload.com/Paramud/8ZQaTp.png[/img] Opera master race.[/QUOTE] Good thing the article wasn't [b]talking about you[/b]

[QUOTE=Paramud;38062596]Don't have to. [img]http://u.cubeupload.com/Paramud/8ZQaTp.png[/img] Opera master race.[/QUOTE] "do not show this dialog again" I have that selected in chrome because I use sites that use steam links like addfriend and joingame and the less clicks the better. [editline]16th October 2012[/editline] [QUOTE=raviool;38062263]unless theres a steam://emailpasswordto/russianhacker@hacks.ru command its not a vulnerability[/QUOTE] It can write batch files, which execute commands without user approval as long as the user is an admin with UAC disabled (most gamers and computer literates are) For example it could format your hard drives, open your CD tray, delete files (and render your computer unusable), change your user password, disable any website, disable your firewall...

[QUOTE=latin_geek;38062853] It can write batch files, which execute commands without user approval as long as the user is an admin with UAC disabled (most gamers and [B]computer literates are[/B]) For example it could format your hard drives, open your CD tray, delete files (and render your computer unusable), change your user password, disable any website, disable your firewall...[/QUOTE] I really, really hope computer literates don't turn off UAC, knowing that it's... kinda sorta important for security reasons.

[QUOTE=Forumaster;38061940]Why would any game [I]EVER[/I] be given the capabilities to do something like this? [/QUOTE] Maybe TF2 can auto-generate text files, such as configuration files for user preferences.