ReVuln security researchers announced the discovery of a vulnerability in Valve's Steam software that could allow hackers to remotely execute arbitrary code on a victim's PC. The vulnerability is in the Steam Browser protocol, which enables websites like the Steam Web Store to install, uninstall or launch Steam games and perform other common tasks by using URLs starting with "Steam://".
Using a specially crafted Steam URL, hackers can abuse the vulnerability to exploit buffer overflow bugs and other security bugs in various Steam games and in Steam itself to run malicious code on a target's machine.
Most browsers offer some protection against this type of attack, Internet Explorer and Chrome will present users with a warning when they click a Steam link, and Firefox will ask users for a confirmation. Apple's Safari and Webkit on the other hand will allow Steam URLs to launch the program without any warnings though.
Until Valve patches the vulnerability, gamers need to keep watch for any suspicious links that try to launch Steam. Further protection can be gained by disabling automatic launching of Steam:// URLs in your browser's settings.
"This is a completely new attack vector, so it's not related to a single game," Donato Ferrante, a ReVuln co-founder and security researcher, told Ars. "Most of the games on Steam share the same game engine." Once attackers have identified a vulnerability in one of the engines, they can use the Steam protocol to exploit it, he explained.
For instance, a Steam URL can be coded to call a "reinstall" command, which loads a splash image file hosted on an arbitrary Windows Shared Drive controlled by the attacker. By exploiting an integer overflow vulnerability in the way Steam handles that splash image, the attacker can load malicious code into remote memory.
Other exploits disclosed in the ReVuln report depend on the targeted user having specific Steam games installed on their system in order to work. One attack passes URL-encoded run-time instructions to any game based on the popular Source engine, prompting that game to create a new log file with arbitrary content inside. Using this vulnerability, the attacker can create a batch file from whole cloth and insert it in the target's Startup folder, for instance. Similar exploits described in the paper make use of games running the Unreal Engine, as well as specific games like APB Reloaded and Microvolts. Note that these games don't have to be actively running for the attack to work—simply having them installed through Steam appears to be enough to let an attacker in through a coded URL.