Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Steam Protocol Opens PCs to Remote Code Execution

Unknown Lamer posted about 2 years ago | from the basically-working-as-designed dept.

DRM 128

Via the H comes news of a possible remote attack vector using the protocol handler installed by Valve's Steam platform: "During installation, it registers the steam:// URL protocol which is capable of connecting to game servers and launching games ... In the simplest case, an attacker can use this to interfere with the parameters that are submitted to the program. For example, the Source engine's command line allows users to select a specific log file and add items to it. The ReVuln researchers say that they successfully used this attack vector to infect a system (PDF) via a batch file that they had created in the autostart folder. ... In the even more popular Unreal engine, the researchers also found a way to inject and execute arbitrary code. Potential attackers would, of course, first have to establish which games are installed on the target computer. "

cancel ×

128 comments

Sorry! There are no comments related to the filter you selected.

Before anyone panics... (3, Informative)

MachDelta (704883) | about 2 years ago | (#41682343)

A (user side) solution from TFA:

The issue can be limited by disabling the steam:// URL handler

Sounds alright to me. I can't recall ever clicking a steam:// link anyways.

Re:Before anyone panics... (0)

casings (257363) | about 2 years ago | (#41682381)

Well for an ideal exploit, you wouldn't know.

Re:Before anyone panics... (1)

Anonymous Coward | about 2 years ago | (#41682573)

steam://nakedmileycyruspics.ua would be OK, right?

Re:Before anyone panics... (2, Insightful)

Anonymous Coward | about 2 years ago | (#41682395)

Sounds alright to me. I can't recall ever clicking a steam:// link anyways.

I'm sure a couple lines of basic javascript would be able to do that on your behalf though.

Re:Before anyone panics... (1)

viperidaenz (2515578) | about 2 years ago | (#41685137)

.... or embedding it in an <img href="steam://nakedmileycyruspics.ua">> tag in an ad that targets people who search for the particular game being exploited. Perhaps some nice targeted advertising for "unreal walkthrough" (and all the other games that use the unreal engine)

but are you paranoid enough? (0)

Anonymous Coward | about 2 years ago | (#41685419)

I thought the link to the PDF [revuln.com] in the summary was a nice touch.

Re:Before anyone panics... (4, Informative)

sourcerror (1718066) | about 2 years ago | (#41682445)

If you want to place shortcuts to your desktop you will need it though.

Re:Before anyone panics... (0)

Anonymous Coward | about 2 years ago | (#41682703)

I never did understand why steam ask if I want to make shortcuts.
I can already start them from steam, why would I want additional shortcuts cluttering up my desktop?
Then again, my desktop wallpaper is an empty black screen.

Re:Before anyone panics... (1)

interval1066 (668936) | about 2 years ago | (#41682799)

Whatever your wp is, I agree, shortcuts are a pain in the ass. For me they're a short-term convinience and I get rid of them when I'm done with the task of the moment. When installers ask me if I want a short-cut to their wiz-bang application I cringe.

Re:Before anyone panics... (1)

afidel (530433) | about 2 years ago | (#41683069)

It's easier to click on the desktop link then it is to launch steam, go to library, find your game, right click and do launch.

Re:Before anyone panics... (1)

PIBM (588930) | about 2 years ago | (#41683219)

Steam's always running, tons of windows are opened in a very specific order spanning quite a lot of desktop space. I'm never seeing my desktop files. Opening the start menu (windows button) then typing the first few letters of what I want to launch is how I start anything not in steam.

Beside, you can simply double click on your game name in steam

Re:Before anyone panics... (1)

X0563511 (793323) | about 2 years ago | (#41686109)

Or just right-click the steam icon in the tray. It keeps several of your recent launches at the top ready to quick-launch.

Re:Before anyone panics... (1)

HiThere (15173) | about 2 years ago | (#41683865)

Anyway, that's not needed for a shortcut. Just a simple shell script will suffice. You can also attach an icon to it and stick it in your taskbar. No need for a URL to launch a local application.

N.B.: This comment may not apply to gnome3. I've heard some pretty strange stories about the built-in limitations that *it* has. (No task bar? You're kidding, right?)

Re:Before anyone panics... (1)

xmousex (661995) | about 2 years ago | (#41683891)

click on steam icon in tray, game list scrolls up, click the name of the game you want. its only two clicks..

Re:Before anyone panics... (1)

afidel (530433) | about 2 years ago | (#41684119)

I don't leave steam running you insensitive clod.

Re:Before anyone panics... (1)

wjousts (1529427) | about 2 years ago | (#41683243)

When installers ask me if I want a short-cut to their wiz-bang application I cringe.

I cringe more when they don't ask and just do it anyway. Serious pet-peeve.

Re:Before anyone panics... (1)

dotHectate (975458) | about 2 years ago | (#41683343)

When installers ask me if I want a short-cut to their wiz-bang application I cringe.

I cringe more when they don't ask and just do it anyway. Serious pet-peeve.

It seems that everything on Android does this. The first thing I do after installing something is to remove the shortcut from the main pages. I have a whole screen with nothing but my apps - why would I want that on my main screen too?

Re:Before anyone panics... (2)

Happler (895924) | about 2 years ago | (#41683605)

That is a setting in the play store for android. Easy to turn off.

Re:Before anyone panics... (0)

Anonymous Coward | about 2 years ago | (#41683751)

yes, it is. the first thing i did after getting my galaxy nexus was to google how to turn off the desktop shortcuts. if i wanted a cluttered mess of icons i would have gotten an iOS device.

Re:Before anyone panics... (1)

HideyoshiJP (1392619) | about 2 years ago | (#41684743)

It admittedly took me a while to find that setting as I mistakenly assumed it would be in the settings app, as opposed to a setting with the Play store itself. I clearly was not thinking that day.

Re:Before anyone panics... (1)

viperidaenz (2515578) | about 2 years ago | (#41685165)

Weird... I never had to turn it off. Didn't know the option existed.

Re:Before anyone panics... (1)

firesyde424 (1127527) | about 2 years ago | (#41684335)

There is a setting to prevent that under the App Store

Re:Before anyone panics... (1)

X0563511 (793323) | about 2 years ago | (#41686123)

In contrast, I have never seen an icon that I did not create or that did not come that way out of the box.

You probably have that option in the play store turned on that the other folks are mentioning.

Re:Before anyone panics... (0)

Anonymous Coward | about 2 years ago | (#41682819)

Some people use the desktop since it's quicker than opening the game list and double-clicking there, just like some people will put their favorite programs on their tray.

Re:Before anyone panics... (2)

Gaygirlie (1657131) | about 2 years ago | (#41682885)

Because double-clicking a pretty icon is faster than hunting from Steam collections? Atleast I like to have the games I currently play on the desktop, though the ones I am not actively playing I remove from there.

Re:Before anyone panics... (1)

SlappyMcgee (1364419) | about 2 years ago | (#41683179)

The games I currently play are available from right clicking the steam icon in the task bar - they are at the top of the list. I hate desktop icons.

Re:Before anyone panics... (1)

Talderas (1212466) | about 2 years ago | (#41684967)

I've had problems with that on Windows 7. When I fresh open steam after a restart sometimes it won't show any games recently played. Then after playing a game that game will show up. Then later, after something happens, I'll get my 6 most recent games to pop up. The unreliability of the method means I no longer use it. I also don't care enough to figure out why it does it.

Re:Before anyone panics... (0)

Anonymous Coward | about 2 years ago | (#41683329)

not true, these files exist on your hard drive and can be run like anything else. some specific games may refuse to launch without that, but i have not found one yet.

Re:Before anyone panics... (1)

humanrev (2606607) | about 2 years ago | (#41686305)

There's no reason to believe that you need something like a steam:// handler to launch via shortcut. Surely Steam can be coded such that shortcuts instead point to the Steam executable with a parameter to the relevant game ID (e.g. C:\Steam\Steam.exe -launch 9520). This would bypass the issue of abuse at least partially.

The purpose for the handler is only because Steam is part browser, and so launching stuff within Steam is made easier via the handler. But for shortcuts? Shouldn't be necessary.

Re:Before anyone panics... (2, Informative)

The MAZZTer (911996) | about 2 years ago | (#41682971)

If you have used Steam you have clicked on a steam:// link at some point. The built-in web browser uses links all over the place. The install button for installing your now-purchased games uses it. Every link that opens in a new browser window uses it.

Re:Before anyone panics... (0)

Anonymous Coward | about 2 years ago | (#41683153)

No, I haven't. I run steam exclusively in Wine and I've never bothered to manually set up the steam:// association. I make all my purchases in a browser, and none of the fancy "click HERE to play your game!" links work.

Re:Before anyone panics... (1)

Anonymous Coward | about 2 years ago | (#41685179)

No, I haven't. I run steam exclusively in Wine and I've never bothered to manually set up the steam:// association. I make all my purchases in a browser, and none of the fancy "click HERE to play your game!" links work.

Great.

So, did you download the game outside of Steam somehow, or did you click an Install Game button at some point? Because if you clicked said install button from, say, within Steam's Store "application" (which is itself a Webkit browser), then you clicked on a steam:// link.

Re:Before anyone panics... (2)

cbhacking (979169) | about 2 years ago | (#41685539)

More to the point, while the GP may not have bothered to set up the steam:// URI association in the host Linux system, within the Wine environment it will be working. Now, granted, most people who use Wine for gaming probably aren't also using it for something like running IE4Linux, but if you *were* to do that, you would (potentially) be vulnerable.

Admittedly, the risk is pretty damn minimal in that environment.

Re:Before anyone panics... (1)

The MAZZTer (911996) | about 2 years ago | (#41682993)

Also: Steam will reregister the steam:// protocol every time you start it up, since it would be very broken without it.

Which games are installed... (2)

black6host (469985) | about 2 years ago | (#41682465)

From the summary:
" Potential attackers would, of course, first have to establish which games are installed on the target computer. "

Create a list of games by popularity, you're bound to find one of them somewhere. In other words, they may not be able to target a specific computer but the odds are good that they'd find many they could target. Even a specific computer, if you know anything about the owner, quite likely might have popular games x,y and z on it based the owner's preferences.....

Re:Which games are installed... (1)

cod3r_ (2031620) | about 2 years ago | (#41682529)

or just assume skyrim ... profit

Re:Which games are installed... (1)

Wandering Voice (2267950) | about 2 years ago | (#41683043)

No Skyrim here, but I wonder if HL.exe is even more common. I can't remember the last time I played Half life, Half Life 2, or DOD, but it loads every time for TF2.

Re:Which games are installed... (1)

gman003 (1693318) | about 2 years ago | (#41683487)

It has to be the specific game - it goes by the Steam game ID, not by the executable name (which is hl2.exe for *most* Source games).

Re:Which games are installed... (2)

amicusNYCL (1538833) | about 2 years ago | (#41683557)

It looks like this is an attack against the games itself, via command line parameter injection, so Skyrim would have to support command line options that would let the attacker do something useful to the system. It sounds like the Source engine is somehow vulnerable by supporting command line options to write to log files, and somehow the Unreal engine lets you execute arbitrary code from the command line. The new XCOM just came out though (and is awesome), I believe that uses the Unreal engine.

Re:Which games are installed... (1)

cod3r_ (2031620) | about 2 years ago | (#41683855)

Dishonored does too. That just came out and is pretty popular.

Re:Which games are installed... (0)

Anonymous Coward | about 2 years ago | (#41682571)

Javascript.

Last time I checked they including advanced technology such as loops and collection data types.

Re:Which games are installed... (1)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#41682637)

From the summary:
" Potential attackers would, of course, first have to establish which games are installed on the target computer. "

Create a list of games by popularity, you're bound to find one of them somewhere. In other words, they may not be able to target a specific computer but the odds are good that they'd find many they could target. Even a specific computer, if you know anything about the owner, quite likely might have popular games x,y and z on it based the owner's preferences.....

Worse, unless there is absolutely no way to have the process fail silently, there isn't really much penalty attached to iterating your merry way through quite a long list of possibilities...

Even if a message of some kind does pop up, what's Joe User going to do under the flood of error windows all suddenly stealing focus?

Re:Which games are installed... (0)

Anonymous Coward | about 2 years ago | (#41682899)

From the summary:
" Potential attackers would, of course, first have to establish which games are installed on the target computer. "

Create a list of games by popularity, you're bound to find one of them somewhere. In other words, they may not be able to target a specific computer but the odds are good that they'd find many they could target. Even a specific computer, if you know anything about the owner, quite likely might have popular games x,y and z on it based the owner's preferences.....

Well since steam already tells you what games users have purchased, you can be sure at least some of them are installed.

Re:Which games are installed... (1)

Happler (895924) | about 2 years ago | (#41683727)

Or just look up user names on Steam community to see who has not marked themselves as "private". It shows all games that they own in their profile and what they have played recently.

Too late.. (1)

phrackwulf (589741) | about 2 years ago | (#41682485)

PANIC!!!! PANIC!!! PANIC!!!

Re:Too late.. (0)

Anonymous Coward | about 2 years ago | (#41682629)

PANIC!!!! PANIC!!! PANIC!!!

So ... once again the pirates have a better experience?

Re:Too late.. (-1)

rainmouse (1784278) | about 2 years ago | (#41682739)

Nonsense. Unless you count potentially buggy(buggier?) games with frequently painful install procedures, possible Trojans and viruses and often other game experience limitations.

Pirated games are only free if your time is worthless.

Re:Too late.. (3, Insightful)

Anonymous Coward | about 2 years ago | (#41682867)

Nonsense. Unless you count potentially buggy(buggier?) games with frequently painful install procedures, possible Trojans and viruses and often other game experience limitations.

That hasn't been my experience actually. Most problems I ever had with games were caused by the DRM. Pirate versions eliminate that.

Pirated games are only free if your time is worthless.

In other words "I had a hard time with it so everybody else does too". That just isn't true.

Besides we are talking about games here. Free time is assumed. A few seconds deleting an .exe and copying over the cracked version ONE SINGLE TIME just isn't a big deal. The problems I have had with DRM took up a lot more time than that.

My experience with pirated games is so good that even if I buy the game I still install the pirate version. No offense but perhaps you are not technically competent in this area? Did you ever think maybe your personal experience is not universal?

Re:Too late.. (1)

CastrTroy (595695) | about 2 years ago | (#41683789)

If they can take the time to remove the DRM, they can also take the time to insert other code which does bad things. Movies and music are probably pretty safe when downloaded from pirate sites, but I wouldn't trust anything that's an executable. Anyone with the skill to remove the DRM probably has enough skill to insert a virus and make it hard to detect.

Why bother? (0)

Anonymous Coward | about 2 years ago | (#41684945)

And why wouldn't the DRM already put code in that does bad things? Already does, really.

Maybe that game distributor will delete the driver for your DVD-RW in case you think you can copy the game.

Or root you like Sony did.

Re:Too late.. (1)

Anonymous Coward | about 2 years ago | (#41684059)

Are you stupid on purpose? Or a troll? Or some sort of shill? Or just don't know what you're talking about....

I've been pirating games since the days of the 1200 baud modem. And in all that time. In all those THOUSANDS of games.
I've never found one trojan, virus, or other infected thing in a pirated game. Never. Not once. I am either the most lucky user in the world. OR damm few pirated things are infected. Since i don't feel that lucky.. I'm going with option #2.

However i HAVE purchased a game cd that came with a trojan as part of the install. The game company said sorry but you're shit out of luck. No refund.

Your entire idea is stupid really. Who the fuck is going to screw with distribution of a 4gig or larger package game to infect someone? That's alot of work in an age when you can infect just about anyone with a simple website. Or program, plugin, other... That is much smaller than a game.

If you wanted to target game users.. Putting out an infected trainer or cheat would work better and take far less resources. And that happens ALL THE TIME.
No piracy involved at all either.

The only valid arguments aginst piracy are either legal. Or moral.
There are no technical reasons that piracy is bad. No matter how people try to spin it as such. And like everywhere else... With piracy you won't get a virus if you pay attention. As for you bit about install? LOL.

And if you wanna get picky.... i trust the pirates FAR more than i trust any company on the planet. The companies all want my money. and they have shown they are willing to do anything legal or illegal to get it.. but the pirates havent wanted a penny yet.

Re:Too late.. (0)

Anonymous Coward | about 2 years ago | (#41685853)

By "pirated" you mean "cracked"? Personally, I buy what I crack and I crack what I buy, because I value my time and I prefer my software to be safe and reliable. The time spent cracking a game is, in my experience, less than the hassle of going through DRM just once, let alone every single time I want to play the game. I've often found that bugs and stability issues are fixed by applying a crack, but the number of times this has introduced a bug is, so far, 1 (Beyond Good and Evil retail).

Re:Too late.. (1)

trum4n (982031) | about 2 years ago | (#41682757)

always. - a reluctant steam user

Re:Too late.. (0)

Anonymous Coward | about 2 years ago | (#41682775)

Actually Pirates need to worry about a whole different set of vulnerabilities. Since they are downloading and manually running many executables to install and launch a game they subject themselves to a high risk of running malicious code that's been injected into said executables. There are ways to avoid the malicious code, wait several weeks and find the safest download per reviews/download numbers, pirate your friends paid for copy, or steal a copy from the store.

Re:Too late.. (1)

TheRealGrogan (1660825) | about 2 years ago | (#41683393)

In actual fact, that's quite rare in piracy circles, so cut out the FUD. These groups crack programs with pride.

Re:Too late.. (1)

cbhacking (979169) | about 2 years ago | (#41686099)

I did semi-volunteer tech support for my university dorm floor. Every single instance of malware somebody came to me for help cleaning - and there was one at least once per month, on a floor of 70 guys - came from pirated software (typically Photoshop, not games, but sometimes games too). Some were from the outside Internet, some were from the DC++ system that everybody on campus seemed to be using, but they were pervasive.

One of the miggest examples of in-the-wild OS X malware was a trojan in pirate copies of iWork that would add the machines into a botnet.

Malware in pirated software isn't just a hypothetical; it's something that is very, very common. There are, I'm sure, groups who have a good reputation for removing DRM and not inserting their own money-maker (which is what malware is these days; it's all about money) but I'm sure there are also people who take that "clean" code, inject malware, and then re-distribute it. Undeniably, the malware gets into those game installers somehow!

Re:Too late.. (1)

Hal_Porter (817932) | about 2 years ago | (#41683281)

Yeah, no way someone would put malicious code in Keygen or cracked executable.

Re:Too late.. (0)

Anonymous Coward | about 2 years ago | (#41685899)

Actually, keygens often contain malicious code. Cracks from the well-known groups, however, tend to be safer than running the game as the publisher provided it.

Fixed the Title (0)

NinjaTekNeeks (817385) | about 2 years ago | (#41682541)

"Installations of Steam vulnerable to a drive by download by users of mozilla based browsers with certain games installed within steam"

Re:Fixed the Title (1)

Briareos (21163) | about 2 years ago | (#41683023)

Considering that URL handlers are executed by just about any browser on Windows and it's Safari and other Webkit-based ones that silently execute URL handlers instead of asking the user for confirmation - what's with the fixation on Firefox?

Re:Fixed the Title (1)

oji-sama (1151023) | about 2 years ago | (#41683031)

"Installations of Steam vulnerable to a drive by download by users of mozilla based browsers with certain games installed within steam"

Yeah, sure, whatever you say.

Browsers such as Internet Explorer, Chrome and Firefox display an alert when steam:// URLs are called; only Safari passes them on without any warning.

Re:Fixed the Title (1)

NinjaTekNeeks (817385) | about 2 years ago | (#41683109)

"According to the results reported in Table 1 all the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine are a perfect vector to perform silent Steam Browser Protocol calls. "

Yeah, I read it too fast, my mistake.

Re:Fixed the Title (1)

oji-sama (1151023) | about 2 years ago | (#41683209)

And I missed that sentence, thanks. (Although, if I ever see a Launch Application message in Firefox that I wasn't expecting, I certainly won't click OK...)

Re:Fixed the Title (2)

TheLink (130905) | about 2 years ago | (#41683493)

I recommend that people run Firefox as a different user from the user account they use to log in. On Windows you can use the runas command.

You have to give your main user account full permissions to the browser user account, so that you can copy files that the browser downloads etc.

Make sure firefox is installed using either the main or admin account, NOT the browser account. This prevents the browser account from doing too many changes to the executables. However this means you'll need to update the browser using the main/admin account, but this could be considered a feature not a bug ;).

Once you do that if you get hit by a drive by, most of the usual startup stuff[1] will only take effect if you ever log in as the browser user account. But since you only log in as your normal main user account, the stuff doesn't run. If you ever need to run as the browser account, make sure you clean stuff up before you do. If you are using windows, load the registry hive to check etc.

[1] Other stuff could be installed. If you're using Linux "crontabs" and "at" stuff might be able to be configured. However if you set stuff up correctly the damage is limited - since the browser account won't have access to your data. On Windows normal users can't use "at" by default.

Re:Fixed the Title (1)

oji-sama (1151023) | about 2 years ago | (#41683609)

I recommend that people run Firefox as a different user from the user account they use to log in.

Is there a reason that only Firefox users should do this? Based on the PDF, the only difference (in this case) is that some of the other browsers display the URL as well...

Re:Fixed the Title (1)

TheLink (130905) | about 2 years ago | (#41684927)

Reason is I haven't managed to get the "runas" thing to work for Google Chrome and recent versions of IE.

Chrome and IE do sandboxing, I don't know whether that's enough for exploits like this. In contrast if you run firefox as restricted User A, and it somehow can run stuff as User B the OS has a serious bug. There have been such bugs, but they are a lot rarer than bugs in browsers, pdf viewers, flash etc.

For banking stuff I run a different browser using yet another user account. So they can pwn my facebook browser, but the hacker has to be really targeting me to pwn my bank browser. While they can pwn me if they really want, from what I see they are more likely to target the bank - more $$$ for the effort. Even I have found security issues with online bank sites before, so it's not like banks are that much harder to hack than me.

Re:Fixed the Title (1)

oji-sama (1151023) | about 2 years ago | (#41685079)

Chrome and IE do sandboxing, I don't know whether that's enough for exploits like this.

I don't think so, because it is not a browser exploit as such. They are just delivering the URI to Steam. I wonder if the restricted account has the protocol registered as well... Well, at least it wouldn't have Steam configured and logged in.

Re:Fixed the Title (1)

Billly Gates (198444) | about 2 years ago | (#41685741)

Or how about just run Firefox and Steam as a standard user? You shouldn't be running as an administrator anyway in this day and age and you are just asking for touble otherwise.

I do this by default on all my Windows 7 installation where I create a Super User account and then last create a regular user account for that person and explain to use that one by default and never user the other admin account unless you are installing a scanner or a new software package.

This wont fully protect you as a buffer overflow or priveldge escalation can get around this but it adds another layer and another annoying step for the hackers. Most hackers know people are stupid and run as admin at home so you should be safe from this.

Another recommendation is to drop Firefox totally. I know I may piss some people off reading this but IE and Chrome have sandboxing built in. FF is behind in this area and require noscript and other disruptive add-ons to achieve the same security. I hated Sandboxie before I started using Chrome.

How is this an exploit? (1, Insightful)

ZiakII (829432) | about 2 years ago | (#41682623)

I do not get how exactly this is an exploit. You need to create a batch file on the intended system start-up folder first. If you can do that. Why not just have the batch file execute a command to download a malicious file and execute it?

Not sure what the real issue is...

Re:How is this an exploit? (0, Insightful)

Anonymous Coward | about 2 years ago | (#41682781)

The real issue would be with your reading comprehension skills. Try reading it again.

Re:How is this an exploit? (4, Informative)

Baloroth (2370816) | about 2 years ago | (#41682817)

I do not get how exactly this is an exploit. You need to create a batch file on the intended system start-up folder first. If you can do that. Why not just have the batch file execute a command to download a malicious file and execute it?

Because you have the wrong order. The exploit can be used to create the batch file, which is then auto-executed when windows next starts (autoexec.bat).

Re:How is this an exploit? (0)

Anonymous Coward | about 2 years ago | (#41684233)

They're creating the batch file in the startup (start menu\programs\startup) folder. It could be named anything and it'd still run, not just autoexec.

Re:How is this an exploit? (0)

Anonymous Coward | about 2 years ago | (#41682897)

As stated in the article :

"For example, the Source engine's command line allows users to select a specific log file and add items to it."

That means: Specify something like "c:\windows\startup\somename.bat" as the 'log' file and "add items to it" (the batch commands).

Re:How is this an exploit? (0)

Anonymous Coward | about 2 years ago | (#41683389)

Have they actually done this, or is this theoretical? Source games tend to spit a ton of crap and error messages into the console, and I'd think that would mess up a batch file.

Re:How is this an exploit? (0)

Anonymous Coward | about 2 years ago | (#41683509)

The batch language is so resilient that most garbage doesn't stop it from reaching a valid line lower down.

CAPTCHA: inasmuch. How relevant.

Why is this even on Slashdot (0)

Wattos (2268108) | about 2 years ago | (#41682669)

From TFA:

Our choice for exploiting this bug is to create a .bat file in the Startup folder of
the user account which will execute our commands injected through +echo at the
next login of the user on the system. There is also an interesting scenario against
dedicated servers by specifying the motd.txt of the game as logfile and launching
the cvarlist command that will dump all the game variables in such file that is
visible to any player who joins the server. Team Fortress 28 is one of the most
played games based on this engine and it’s free-to-play.

They system is already compromised at this point. Why do we need the steam protocol?

Also, for the love of god, please stop calling these people security researchers.

Re:Why is this even on Slashdot (1)

Malenx (1453851) | about 2 years ago | (#41682741)

Agree, I can't see how this exploit would work without a previously compromised system. They are also relying on users to click on bad links to get the process started. How is this at all new?

Re:Why is this even on Slashdot (5, Insightful)

Scytheon3 (1864528) | about 2 years ago | (#41682829)

The system is not already compromised. They are using the vulnerability to create the .bat file by specifying this as the log file for Team Fortress and then echoing commands into it.

Re:Why is this even on Slashdot (1)

TheRealGrogan (1660825) | about 2 years ago | (#41683353)

Windows NT based systems have come with file permissions for a long time. Remove write permissions from the user and global startup folders. Yes, all write permissions, even for the user "System" (I hate anything that uses the startup folder anyway and wouldn't allow anything in there)

Or what about programs like that "Tea Timer" (Spybot Search and Destroy) or others that block things from getting in startup? (I always thought Tea Timer to be a silly nuisance, never to be activated, but here's an instance where it would help)

Attack foiled.

Personally I am not worried about this, for I use Windows only for games. The chances of me going to a bad URL while in Windows are near zero. Besides, now that the cat is out of the bag, Valve will probably find a way to mitigate this with one of the next client updates.

Re:Why is this even on Slashdot (1)

Billly Gates (198444) | about 2 years ago | (#41685659)

Which is why the old adage DO NOT RUN AS ROOT is applicable.

When I install a fresh copy of Windows 7 I create the user name God or Super User and then after everything is patched and software is installed I add a second account with just standard/limited permissions.

Windows 8 goes a step further and limits your account to regular user by default. You get a UAC everytime if you want to change something. I should be fine iwth this since I only have read-only access to any settings as I only run as a standard user.

I wish more Windows XP/7 users did this. Running as a non standard user is not asking for trouble. While it wont protect you from rootkits, buffer overflows, or priveldege esculation attacks, it will surely protect you from exploits. Still the URL is entered by the hackers so you will be vulnerable if you run as admin so be warned.

Re:Why is this even on Slashdot (3, Informative)

Baloroth (2370816) | about 2 years ago | (#41682877)

The sentence is poorly phrased: what they mean is that they create the .bat file using some command line parameters (one of which dumps console output to the file of your choice, which could be "c:/autoexec.bat"). That then gets executed automatically on login, and boom, exploited.

The solution is pretty easy: make browsers that open external programs for a link show what they are doing and exactly what the command is, and/or have steam show the same when it loads the protocol command. Steam could also refuse to pass command line parameters, but that limits the usefulness of the protocol in the first place (might be necessary, unfortunately).

Re:Why is this even on Slashdot (2)

Briareos (21163) | about 2 years ago | (#41682941)

Except that here they're using the ability to pass command line options to source engine games started via the steam URL handler to create their log file in a certain location with a certain name (like "foo.bat" in the startup folder) then using the echo command via the same URL parameter to log anything they want into that file - and I'm pretty sure a batch file containing "del /s c:\" in there won't be very much appreciated the next time the user logs on...

Re:Why is this even on Slashdot (0)

Anonymous Coward | about 2 years ago | (#41683059)

Team Fortress 28? Man, after how long it took to produce the first sequel, they really got their crap together.

lol n00b clowns (-1)

Anonymous Coward | about 2 years ago | (#41682815)

i have found an exploit, if you create a batch file calling ftp you can get it to download any file you like !

they should research serving from mcdonalds, its more what they are cut out for

Why the DRM icon? (-1)

Anonymous Coward | about 2 years ago | (#41682909)

So... Steam uses a form of DRM. They have a bug in an unrelated part of the system (the steam:// protocol handler). Therefore this bug... must be because of DRM! ZOMG EVULZ if only Valve SAW TEH LIGHT OF GOODNESS AND PURITY, this problem wouldn't exist!!1! Put up the DRM icon!

By this same logic, I play games on Steam. Those games have Steam's DRM on them, meaning I use DRM. Therefore, by logic, if I go out and murder someone, DRM must be to blame!

Re:Why the DRM icon? (1)

maharvey (785540) | about 2 years ago | (#41684799)

Wow I never thought of that! But so true...

URL handlers (3, Insightful)

0123456 (636235) | about 2 years ago | (#41683117)

Oh look, yet another vulnerability caused by allowing web pages to start random applications on your system.

Who ever thought that was a good idea?

Re:URL handlers (0)

Anonymous Coward | about 2 years ago | (#41683253)

Same person it always is: someone who was trying to take a monster shortcut.

Dont have to "establish" a list - try them all (1)

Gothmolly (148874) | about 2 years ago | (#41683231)

Try all the popular games, you're likely to get 1 hit - and that's all you need.

Re:Dont have to "establish" a list - try them all (1)

Barny (103770) | about 2 years ago | (#41683783)

Yeah, and when I get thousands of popups to execute steam links, I will just close the tab and send a report to google that it is an attack site...

Re:Dont have to "establish" a list - try them all (0)

Anonymous Coward | about 2 years ago | (#41684261)

And how will you close the tab with all the popups stealing focus every time a new one is created? But it doesn't matter, at that point you've already been attacked.

Re:Dont have to "establish" a list - try them all (0)

Anonymous Coward | about 2 years ago | (#41684959)

No he has not- steam:// links do not auto-execute, you have to give them permission. Even if you do give them permission this attack vector then requires a computer restart BEFORE checking your startup folder for rogue batch files. Of note most anti-virus/anti-malware programs will freak out if exactly such an event will take place.

Next unless you are using a browser stuck in last century popups stealing focus until you can't do anything is kind of a thing of the past, all your popups open in tabs, close the master window and you shut down that site.

This is still a big deal and some sort of security enhancement for steam is required to prevent this sort of abuse.

DDoS Steam URL's? (0)

Anonymous Coward | about 2 years ago | (#41683333)

Has anyone tried to DDoS a steam://* URL? Might be funny.

Re:DDoS Steam URL's? (1)

Elbart (1233584) | about 2 years ago | (#41683697)

Sure, go ahead. Have fun.

Crazy (2)

Barny (103770) | about 2 years ago | (#41683767)

Uh, call me crazy, but I just checked the manager in firefox and steam links are set to 'ask first'. I tested, got a popup asking me if I want to run the link with application 'Steam'... unless it was something I wanted, I would generally click 'no'.

Not a very good exploit, imho.

Re:Crazy (0)

Anonymous Coward | about 2 years ago | (#41683973)

I think you're imagining the attack BACKWARDS.

Re:Crazy (0)

Anonymous Coward | about 2 years ago | (#41684215)

The thing you seem to have missed is that the attackers are targeting the malformed steam link precisely to be in that "something I wanted" category.
Click. Game Over.
i.e. a popular game you are likely to have and play (sort of goes along with that "popular" qualifier, no?)

The solution is for applications to only be allowed to create/write files in a separate data-only filesystem/directory tree.
That won't happen because you can't fix existing applications that don't do this.
And we all know how well leaving your system security up to the whims of whatever the OS/application programmer thinks is appropriate has been working out.

IMHO, certain files, such as C:\autoexec.bat are absolutely "knowable" by operating system designers as critical system files, and the OS should have strong access controls and escalated privilege protections in place for any modifications to such a crucial file. Particularly where NTFS and extended attribute filesystems are widely used.

Yay! Mandatory Binding Arbitration! (0)

Anonymous Coward | about 2 years ago | (#41684291)

So glad I didn't accept that new Mandatory Binding Arbitration EULA. That means steam doesn't even work on my computer anymore.

And for the rest of you, too bad no matter what happens you can't sue Valve! Suckers... :^D

Turn valve 90 degrees to shut-off position. (2)

Kaz Kylheku (1484) | about 2 years ago | (#41684673)

Simples as that.

Details of an exploit in an exploitable format (0)

Anonymous Coward | about 2 years ago | (#41685435)

Am i the only one that sees the irony in detailing an exploit for steam in a pdf file; one of the most exploited formats that has ever existed thanks to adobe?

If i were still using adobe reader i think i'd rather open an unknown exe than pdf.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?