Posted on Thursday, August 08 2019 @ 12:21 CEST by Thomas De Maesschalck
After unsatisfactory dealings with HackerOne, which runs the Steam bug bounty program, security researcher Vasily Kravets publicly disclosed a 0-day escalation exploit in the Steam Client Services.
The vulnerability allows malware to bypass Windows security and gain access to SYSTEM level privileges.
The vulnerability lies within Steam Client Service. The service may be started or stopped by unprivileged users. This becomes a problem because, when run,Steam Client Service automatically sets permissions on a range of registry keys. If a mischievous—or outright malicious—user were to symlink one of these keys to that belonging to another service, it becomes possible for arbitrary users to start or stop that service as well. This becomes even more problematic when you realize that it's possible to pass arguments to services that run under extremely privileged accounts—such as msiserver, the Windows Installer service.
Following several rejections from HackerOne, Kravets decided to publicly disclose the flaw.
Full details
at ARS Technica.
