Millions of Steam users are potentially vulnerable to a newly disclosed attack method that exploits a hole in the way Steam commands interact with certain games, Web browsers, e-mail clients, and other software.
Security researchers at ReVuln, based in Malta, published details of the attack [PDF] earlier this week. The vulnerability resides in the Steam Browser protocol, which is commonly used by websites such as the Steam Web Store to install, uninstall or launch Steam games and perform other common tasks, using URLs starting with "Steam://". By getting a user to click a link to a specially formed Steam URL, an attacker can remotely exploit buffer overflow bugs and other vulnerabilities in various Steam games and in Steam itself to create and run malicious code on a target’s machine, as shown in a posted proof of concept video.
"This is a completely new attack vector, so it’s not related to a single game," Donato Ferrante, a ReVuln co-founder and security researcher, told Ars. "Most of the games on Steam share the same game engine." Once attackers have identified a vulnerability in one of the engines, they can use the Steam protocol to exploit it, he explained.
For instance, a Steam URL can be coded to call a "reinstall" command, which loads a splash image file hosted on an arbitrary Windows Shared Drive controlled by the attacker. By exploiting an integer overflow vulnerability in the way Steam handles that splash image, the attacker can load malicious code into remote memory.
Other exploits disclosed in the ReVuln report depend on the targeted user having specific Steam games installed on their system in order to work. One attack passes URL-encoded run-time instructions to any game based on the popular Source engine, prompting that game to create a new log file with arbitrary content inside. Using this vulnerability, the attacker can create a batch file from whole cloth and insert it in the target’s Startup folder, for instance. Similar exploits described in the paper make use of games running the Unreal Engine, as well as specific games like APB Reloadedand Microvolts. Note that these games don’t have to be actively running for the attack to work—simply having them installed through Steam appears to be enough to let an attacker in through a coded URL.
Not all Web users are equally at risk to these kinds of attacks. Browsers such as Chrome and Internet Explorer present users with an explicit warning when they click a Steam link, telling them they’re about to open or use an external program, and Firefox asks users for confirmation (without explicitly warning of potential vulnerability). Browsers including Apple’s Safari and Webkit, though, allow Steam URLs to launch the program without any warnings, letting a potential attack go completely unnoticed. Many browsers that provide prompts or warnings by default can be configured to suppress them, so it’s possible attacks might work more widely, Ferrante said.
Further, while the attack is less noticeable if Steam is already running in the background, it seems that, in the right browser, the attack can launch Steam and insert the malicious code before a user is able to do anything about it.
If you are running Steam and using a vulnerable browser, you can protect yourself by going into the settings and disabling automatic launching of Steam:// URLs. If you’re already using a browser that gives warning when URLs try to launch external programs, keep a special watch for any suspicious links that try to launch Steam.
Valve has yet to respond to a request for comment on the newly publicized vulnerability.