Possible security vulnerability documented in Steam when using certain internet browsers - Polidicks

If you don't have Administrative privileges on your PC are you alright or?

Whelp, time to switch to Origin.

I wonder what the equivalent is on the mac version of steam.

Safari is a shitty browser in the first place so.

[QUOTE=Forumaster;38061940]Why would any game [I]EVER[/I] be given the capabilities to do something like this? What have you done, Valve?[/QUOTE] Basically, they use the +con_logfile command to log the console to a batch file. They then use the +echo command to echo a batch command to the console, which is then logged to the batch file (aka the con_logfile). Then +quit is used to leave the game. They also noted exploits in the steam client with game install TGA splash images, but then you'd need to get the malformed splash image on to the computer first, and that'd just be pointless. In recap: TF2 has bugs, you should use common sense.

From a programmers perspective, this is actually kind of cool because from in your browser you could for instance have a link that when clicked took you to a specific gmod server. But yeah, this is a pretty nasty bug.

[quote]The browser used in Steam's in-game overlay completely ignores steam:// commands and as such is not vulnerable to this method at all.[/quote] I'm sorry but this is bullshit, Steam's ingame webkit based browser relies heavily on the steam:// commands to interface with the application. [quote]One of the methods shown is to run Team Fortress 2 and have it create a .bat file in the user's Startup folder.[/quote] Wow amazing, this guy found out how to make an administrator ran application make a bat file outside of its directory which it can't even run straight away, you can do this with near any application which reads and writes files outside of it's directory which Source does, it sounds like this guy has only just figured out how to use Source commandline functions. The LoadTGA overflow has been around since Steam was first released, this is really the only one which is a major issue. Two of these are functions which work as intentional and the rest are not related to Valve so they can't do shit about it. Most they can do is remove the parameters section from the steam:// protocol, that would stop the access of issuing commandline parameters via the browser.

[QUOTE=eddy-tt-;38063757]Wow amazing, this guy found out how to make an administrator ran application make a bat file outside of its directory which it can't even run straight away, you can do this with near any application which reads and writes files outside of it's directory which Source does, it sounds like this guy has only just figured out how to use Source commandline functions.[/QUOTE] Except most programs that allow you to read and write files usually don't include the ability to read and write files with a link from a web browser. And that's the issue.

[QUOTE=supersnail11;38063859]Except most programs that allow you to read and write files usually don't include the ability to read and write files with a link from a web browser. And that's the issue.[/QUOTE] That's only because of the parameters section of the run protocol, they remove that or give it a whitelist and the problem is solved. I've also honestly never seen that part of the run protocol used so I'm going to assume it was originally an intended feature which was forgotten about. That is the only issue this whole proof of concept shows with Steam, the rest are 3rd party developer flaws. [editline].[/editline] But then again, if the steam web protocol is the same thing that steam uses internally on its client that would completely screw up setting a custom commandline, but surely Valve wasn't that daft, the client should call its commands direct and not through some external protocol.

Steam should add a tickbox so that you can run steam:// only from valve owned or approved websites.

[QUOTE=eddy-tt-;38063757]I'm sorry but this is bullshit, Steam's ingame webkit based browser relies heavily on the steam:// commands to interface with the application. Wow amazing, this guy found out how to make an administrator ran application make a bat file outside of its directory which it can't even run straight away, you can do this with near any application which reads and writes files outside of it's directory which Source does, it sounds like this guy has only just figured out how to use Source commandline functions. The LoadTGA overflow has been around since Steam was first released, this is really the only one which is a major issue. Two of these are functions which work as intentional and the rest are not related to Valve so they can't do shit about it. Most they can do is remove the parameters section from the steam:// protocol, that would stop the access of issuing commandline parameters via the browser.[/QUOTE] Except there's nearly no reason to allow a game to create files outside of its directory. Make it so it only takes filenames for log files and stores them all in tf2/LOGS or something.

[QUOTE=itisjuly;38064032]Steam should add a tickbox so that you can run steam:// only from valve owned or approved websites.[/QUOTE] But that would remove the use of steam://addfriend, steam://connect, etc. They just need to sandbox things and remove the command line arguments on the steam://run command

[QUOTE=J!NX;38062168]if you check every single link manually you'd be paranoid however[/QUOTE] I always do that. I thought everyone did that. You mean people don't do that?

[QUOTE=Ardosos;38065070]I always do that. I thought everyone did that. You mean people don't do that?[/QUOTE] not anyone I know of at least

[QUOTE=Forumaster;38062437]Which most people, especially gamers, have on their own machines. Gamers also tend to turn UAC off because it likes to fuck with certain games, so the command prompt runs with admin rights.[/QUOTE] there's no need for UAC off anymore, programs that had issues with it are fixed, and Windows 7 has improved UAC

steam://paypal/cancel

good thing i use chrome?

[QUOTE=Winner;38066421]I can't even get TF2 to write logs anywhere unless it's inside the tf folder > con_logfile "c:\log" > echo hi Doesn't work[/QUOTE] you may have to do ../../../../../../../../../../../log.bat

-snip

[QUOTE=The Baconator;38065661]there's no need for UAC off anymore, programs that had issues with it are fixed, and Windows 7 has improved UAC[/QUOTE] The only program that ever ever ever had problems with UAC was source2006 in like 2007 when i had vista. I don't know why people turn UAC off in the first place. In fact, i have it set to the highest setting, and i use a regular limited user account for everyday-stuff.

[QUOTE=Winner;38066908]That doesn't work either If I set con_logfile to a file in the tf folder, then set it to a file somewhere else, it keeps writing to the first file. But when I set it to a file in the tf folder, and then to a different file in that folder, it'll write to the new one in stead. So I have no clue how they got it to write outside of the tf folder![/QUOTE] Try setting it to [url=http://pastebin.com/rirn5cRC]/hello_c_drive.bat[/url] (I released that POC over a year ago)

Filesystem protections should check the absolute path IMO

[QUOTE=The Baconator;38065661]there's no need for UAC off anymore, programs that had issues with it are fixed, and Windows 7 has improved UAC[/QUOTE] Ah, I should give it a try then, I remember having vista with uac that was the worst shit ever [editline]17th October 2012[/editline] the school administrators turn UAC off straight away because its annoying, I mean I don't go crazy and download every application in the world, I know what to trust.

[QUOTE=BlkDucky;38063028]I really, really hope computer literates don't turn off UAC, knowing that it's... kinda sorta important for security reasons.[/QUOTE] This. I cannot stress the importance of UAC. It also becomes personal when fully paid IT technicians outright disable it without knowing the consequences of their actions.

[QUOTE=GreenDolphin;38067202]This. I cannot stress the importance of UAC. It also becomes personal when fully paid IT technicians outright disable it without knowing the consequences of their actions.[/QUOTE] If UAC wasn't so god damn intrusive, I'd have it enabled. Does it have to ask for my permission when I click "Apply" in a control panel dialog? I was fine with Windows XP and I'm fine now. I regularly backup every week and disconnect the drive when it's done, I keep my anti-virus definitions up to date, I enable two-step verification for just about everything I can, and I don't launch applications from people I don't trust. It's not hard to stay safe without Windows holding your hand 24/7. Besides that, this is a vulnerability in games that commonly write to the disk. Why wouldn't someone playing the game say "Yes" to a game they trust?

[QUOTE=BlkDucky;38063028]I really, really hope computer literates don't turn off UAC, knowing that it's... kinda sorta important for security reasons.[/QUOTE] UAC is designed to keep your grandmother from installing banzai buddy. It just gets in the way for people who know what they're doing. Hence, it gets turned off. I've got it off on my machine, have had it off since Vista introduced it all those years ago. [editline]16th October 2012[/editline] [QUOTE=DrogenViech;38066891] I don't know why people turn UAC off in the first place. In fact, i have it set to the highest setting, and i use a regular limited user account for everyday-stuff.[/QUOTE] I have it turned off because I don't want windows bitching at me every time I open a window, and I have admin privvies on my user account because I don't feel like restarting every time I need to adjust my brightness...which is fairly common.

[QUOTE=geel9;38062092][url=steam://run/440]http://facepunch.com[/url][/QUOTE] JOKES ON YOU IM USING LINUX ... :suicide:

[QUOTE=GreenDolphin;38067202]This. I cannot stress the importance of UAC. It also becomes personal when fully paid IT technicians outright disable it without knowing the consequences of their actions.[/QUOTE] Everybody I've talked to who has disabled UAC, either does it because they were told to (and didn't know better), or thought they knew better and disabled it. I suppose it's similar to people who use "common sense" as an AV, they're actually making themselves less secure. One of the first things I do when I install Windows 7, is put UAC back up to the level it was in Vista, since they fixed the main issue with it (over-prompting).

[QUOTE=BlkDucky;38063028]I really, really hope computer literates don't turn off UAC, knowing that it's... kinda sorta important for security reasons.[/QUOTE] Oh come [b]on[/b]. It's so [b]fucking annoying for me.[/b] It delays shit from opening all the fucking time and sometimes it's really fucking slow because the program is a huge ass installer, so for whatever reason it will take 10 minutes just for the dialog box to actually pop up. I still have yet to end up in a situation where UAC would have done fucking anything to help me, because I've never gotten my shit hacked or had a virus in 6 years of internet browsing.

[QUOTE=Rellow;38070622] It delays shit from opening all the fucking time and sometimes it's really fucking slow because the program is a huge ass installer, so for whatever reason it will take 10 minutes just for the dialog box to actually pop up.[/QUOTE] It sounds like your computer has some serious issues. It doesn't even delay mine for a second longer than opening a program without it on.