Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:

Regularly scheduled events

Firm Says Steam URLs Exploitable

Startup vulnerability research and consultancy firm ReVuln says the way Steam handles steam:// protocol URLs leaves users open to having vulnerabilities in Steam and their game exploited, reports Computerworld, who say their request for comment on this was not immediately fulfilled by Valve (thanks Ant). A proof-of-concept trailer shows what they are talking about, and here's a bit:

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.

"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."

Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email.

View
69 Replies. 4 pages. Viewing page 2.
< Newer [ 1 2 3 4 ] Older >

49. Re: It's good advice but not foolproof. Oct 17, 2012, 21:26 Sepharo
 
hb3d wrote on Oct 17, 2012, 21:22:
Sepharo wrote on Oct 17, 2012, 21:09:
I would hope that anyone here receiving a message about a website wanting to launch Steam would click No, especially if that wasn't their intent when clicking the link.
Well Chrome has a "remember my choice" box on that launch dialog box, so if you ever press "yes" and click the box, you won't be prompted again. That is why relying on a prompt is not a real fix for this type of problem. It's good advice, but not foolproof.

You're right Chrome currently doesn't give you a way to undo the setting if you checked the box to remember it. Here's a fix:

Open this file in Notepad or your editor of choice:
%LOCALAPPDATA%\Google\Chrome\User Data\Local State

Find on "steam", delete that line
If the line is missing you're prompted everytime.
If it's true you're not prompted but it's denied everytime.
If it's false you're not prompted but it's allowed everytime.
 
Avatar 17249
 
Reply Quote Edit Delete Report
 
48. It's good advice but not foolproof. Oct 17, 2012, 21:22 hb3d
 
Sepharo wrote on Oct 17, 2012, 21:09:
I would hope that anyone here receiving a message about a website wanting to launch Steam would click No, especially if that wasn't their intent when clicking the link.
Well Chrome has a "remember my choice" box on that launch dialog box, so if you ever press "yes" and click the box, you won't be prompted again for Steam URL's. Other browsers probably do too. So if you go to the Steam website, install a game or demo using the Steam URL link when prompted, and click the box, you could be exploited later without knowing it because there would be no prompt. That is why relying on a prompt is not a real fix for this type of problem. It's good advice, but not foolproof.
 
Reply Quote Edit Delete Report
 
47. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 21:09 Sepharo
 
hb3d wrote on Oct 17, 2012, 20:48:
Sepharo wrote on Oct 17, 2012, 20:43:
Only on Safari.
At the default settings other browsers will warn to various degrees of specificity. The problems are that not everyone uses the default security settings, and second users tend to click yes on popups because if they don't, things don't work.

"Just Say No!" is not a foolproof solution to this problem.

If fools want to click Yes/OK on the ol' "Install Virus?" pop-up there's not much that can be done about that. I would hope that anyone here receiving a message about a website wanting to launch Steam would click No, especially if that wasn't their intent when clicking the link. If the site is pretending to do something legitimate with Steam but really intends to use it as an attack vector... Well, user beware. I probably wouldn't accept that dialog from anyone else but Valve.
 
Avatar 17249
 
Reply Quote Edit Delete Report
 
46. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 20:54 hb3d
 
pacbowl wrote on Oct 17, 2012, 20:51:
How about running No Script? It blocks auto-redirects too.
Anything that will block the browser from running/handling "steam://" will stop this attack vector. It won't fix the exploits in Steam or the games, but it will keep the browser from being used as a means to deliver an attack.

So, yes, if you can add "steam://*" to noscript's block list, that should do it.
 
Reply Quote Edit Delete Report
 
45. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 20:51 pacbowl
 
How about running No Script? It blocks auto-redirects too.  
Avatar 23232
 
Reply Quote Edit Delete Report
 
44. No subject Oct 17, 2012, 20:48 hb3d
 
Sepharo wrote on Oct 17, 2012, 20:43:
Only on Safari.
At the default settings other browsers will warn to various degrees of specificity. The problems are that not everyone uses the default security settings, and second users tend to click yes on popups because if they don't, things don't work.

"Just Say No!" is not a foolproof solution to this problem.
 
Reply Quote Edit Delete Report
 
43. Re: You are wrong again. Oct 17, 2012, 20:43 Sepharo
 
hb3d wrote on Oct 17, 2012, 20:35:
With redirection the browser will automatically execute/go to Steam URL, which will automatically run Steam, which will automatically run/handle the URL to execute the attack.

Only on Safari.
 
Avatar 17249
 
Reply Quote Edit Delete Report
 
42. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 20:42 Sepharo
 
Chrome, IE9, Firefox, Opera all warn before executing a link to an application external from the browser... Just click no.  
Avatar 17249
 
Reply Quote Edit Delete Report
 
41. Re: You are wrong again. Oct 17, 2012, 20:35 hb3d
 
Mashiki Amiketo wrote on Oct 17, 2012, 20:30:
That's two completely different things than what you've said in the last 4 posts.
No, it isn't. You simply don't understand what you read.

A page running something is not the URL itself being a script.
No kidding, nor did I say it was. With redirection the browser will automatically execute/go to Steam URL, which will automatically run Steam, which will automatically run/handle the URL to execute the attack. PC owned shortly thereafter. Learn to read.

And yes you're fearmongering, when there is a solution right there.
I am not fear mongering when this is a very real fear of exploit since the exploit works and it is public. Second, that solution is one which I already mentioned below, but it isn't permanent unless Valve removes the functionality from Steam because Steam automatically restores itself when it is run if a part is deleted, etc.

This comment was edited on Oct 17, 2012, 21:00.
 
Reply Quote Edit Delete Report
 
40. Re: You are wrong again. Oct 17, 2012, 20:30 Mashiki Amiketo
 
hb3d wrote on Oct 17, 2012, 20:26:
They can be. A website can script the URL's to execute in the browser without clicking on anything.

...
I have followed Luigi's work in game hacking for over ten years. When he says something about games and exploits, it is the real deal.
That's two completely different things than what you've said in the last 4 posts. A page running something is not the URL itself being a script. That's remote page execution. So again, disabling the steam:// handler effectively limits this vulnerability. And yes you're fearmongering, when there is a solution right there.
 
--
"For every human problem,
there is a neat, simple solution;
and it is always wrong."
--H.L. Mencken
Reply Quote Edit Delete Report
 
39. You are wrong again. Oct 17, 2012, 20:26 hb3d
 
hb3d wrote on Oct 17, 2012, 19:41:
Glad to see you're good on the fear mongering 101 though.
It's not fear mongering. It is the truth. This exploit can allow remote code execution, and since it can, there is virtually no limit to what it can do.

Steam url's aren't scripted.
They can be. A website can script the URL's to execute in the browser without clicking on anything, i.e. redirection.

See "Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email."

I have followed Luigi's work in game hacking for over ten years. He has reported the vulnerabilities he finds in games to companies like Epic and id for years, and they have been subsequently fixed. When he says something about games and exploits, it is the truth.

Even someone from h-online figured that one out. "disabling the steam:// handler will disable or severely limit this vulnerability."
I said the same thing below. The problem is that Steam will restore that functionality when it launches or automatically updates.

This comment was edited on Oct 17, 2012, 21:02.
 
Reply Quote Edit Delete Report
 
38. Re: That is NOT enough. Oct 17, 2012, 20:19 Mashiki Amiketo
 
hb3d wrote on Oct 17, 2012, 19:41:
... Once you can remotely execute code as you can here, the sky is really the limit.
*facepalm* That's what remote code execution is. Glad to see you're good on the fear mongering 101 though.


No, that won't do it because if the Steam url's are scripted, you don't have to click on a thing. And, if your browser doesn't prompt on the URL's as Safari doesn't at all and others won't if set that way, you won't even know if your browser executed these URL's.
Steam url's aren't scripted. Though they can be used to execute commands, like any other API installer. Damn man, have you read the steam api deployment document before? The URL's are handlers for a command, if you don't execute the URL you don't execute the commands. They don't spontaneously start running all on their own.

Even someone from h-online figured that one out. "disabling the steam:// handler will disable or severely limit this vulnerability."
 
--
"For every human problem,
there is a neat, simple solution;
and it is always wrong."
--H.L. Mencken
Reply Quote Edit Delete Report
 
37. Re: That is NOT enough. Oct 17, 2012, 20:15 nin
 
Prez wrote on Oct 17, 2012, 19:58:
hb3d wrote on Oct 17, 2012, 19:53:
Prez wrote on Oct 17, 2012, 19:51:
I'll do the next best thing and turn the client off until I actually am going to use it. Normally I leave it running as long as my PC is on. I already use Chrome as my browser.
That won't help because the browser will launch Steam to execute these URL's if it is not already running.

Dammit! What if I blocked the Steam service in a program like Process Explorer until I'm ready to use it?


NO SNUGGLE TRUCK FOR PREZ!!!!!!!

 
http://www.nin.com/pub/tension/
Reply Quote Edit Delete Report
 
36. Re: That is NOT enough. Oct 17, 2012, 20:02 hb3d
 
Prez wrote on Oct 17, 2012, 19:58:
Dammit! What if I blocked the Steam service in a program like Process Explorer until I'm ready to use it?
If you can prevent the entire Steam client from running using something like that, then yes, that would mitigate your exposure. But, so long as Steam is running you are vulnerable.
 
Reply Quote Edit Delete Report
 
35. Re: That is NOT enough. Oct 17, 2012, 19:58 Prez
 
hb3d wrote on Oct 17, 2012, 19:53:
Prez wrote on Oct 17, 2012, 19:51:
I'll do the next best thing and turn the client off until I actually am going to use it. Normally I leave it running as long as my PC is on. I already use Chrome as my browser.
That won't help because the browser will launch Steam to execute these URL's if it is not already running.

Dammit! What if I blocked the Steam service in a program like Process Explorer until I'm ready to use it?
 
Avatar 17185
 
“The greatness of a nation and its moral progress can be judged by the way its animals are treated.”
- Mahatma Gandhi
Reply Quote Edit Delete Report
 
34. Re: That is NOT enough. Oct 17, 2012, 19:53 hb3d
 
Prez wrote on Oct 17, 2012, 19:51:
I'll do the next best thing and turn the client off until I actually am going to use it. Normally I leave it running as long as my PC is on. I already use Chrome as my browser.
That won't help because the browser will launch Steam to execute these URL's if it is not already running. That is the whole idea of having these Steam-specific URL's in the first place.

Valve needs to autoupdate Steam to get rid of the URL handler as an immediate step to blunt this attack, but the Steam website is full of the URL's so it's going to break all that functionality.

This comment was edited on Oct 17, 2012, 20:07.
 
Reply Quote Edit Delete Report
 
33. Re: That is NOT enough. Oct 17, 2012, 19:51 Prez
 
hb3d wrote on Oct 17, 2012, 19:41:
Mashiki Amiketo wrote on Oct 17, 2012, 18:49:
Worst case? Remote code execution with them being able to transverse directories.
That is NOT worst case. The exploits show hackers could execute anything on your PC with this exploit. That source engine exploit will run anything specified in the batch file at startup. So, delete all your files, steal your account credentials, etc. Once you can remotely execute code as you can here, the sky is really the limit.

Just don't click on any random steam url's and you'll be fine.
No, that won't do it because if the Steam url's are scripted, you don't have to click on a thing. If you browser doesn't prompt on the URL's as Safari doesn't at all and others won't if set that way, you won't even know if your browser executed the URL or not.

Well, uninstalling the Steam client means I lose access to the roughly $10,000 worth of games I have bought on Steam, so that isn't about to happen. I'll do the next best thing and turn the client off until I actually am going to use it. Normally I leave it running as long as my PC is on. I already use Chrome as my browser.
 
Avatar 17185
 
“The greatness of a nation and its moral progress can be judged by the way its animals are treated.”
- Mahatma Gandhi
Reply Quote Edit Delete Report
 
32. It's not hard. You simply guess. Oct 17, 2012, 19:47 hb3d
 
In order to make this exploit work, you need to be able to cause something to create the file, in order to be able to execute it.
As I wrote before, if a Source engine game is installed, it can be made to do that with this exploit.

If you don't know what's installed, you have no attack vector.
You simply guess. Sure it won't affect people who don't have a Source game installed, but so many Steam users do, and so many use the default location for Steam that it isn't hard to find a vulnerable target. It was the exact same thing with the Uplay exploit. The specified path to the executable to run in that exploit was simply a guess on the target's directory structure and installed programs. Windows also still has a %path% variable that will execute anything in that path without knowing the full path.

Even their unreal engine exploit requires a upk file to exist already, in order to cause it to crash(integer overflow).
It already exists in the Sanctum game. That is why they chose that game over the dozens of other Unreal engine games on Steam.

But in the latter case, you need to know "what" you're running into to make it do something.
As I wrote before, you simply guess and target the most likely spots. Hackers have been doing that forever, and guess what? It works.

This comment was edited on Oct 17, 2012, 20:06.
 
Reply Quote Edit Delete Report
 
31. That is NOT enough. Oct 17, 2012, 19:41 hb3d
 
Mashiki Amiketo wrote on Oct 17, 2012, 18:49:
Worst case? Remote code execution with them being able to transverse directories.
That is NOT worst case. The exploits show hackers could execute anything on your PC with this exploit. That source engine exploit will run anything specified in the batch file at startup. So, delete all your files, steal your account credentials, etc. Once you can remotely execute code as you can here, the sky is really the limit.

Just don't click on any random steam url's and you'll be fine.
No, that won't do it because if the Steam url's are scripted, you don't have to click on a thing. And, if your browser doesn't prompt on the URL's as Safari doesn't at all and others won't if set that way, you won't even know if your browser executed these URL's.

This comment was edited on Oct 17, 2012, 19:48.
 
Reply Quote Edit Delete Report
 
30. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 18:49 Mashiki Amiketo
 
Prez wrote on Oct 17, 2012, 18:30:
Some more non-techie explanation needed if you don't mind. What's the worst case scenario here? Am I looking at someone deleting my saved games or someone hacking the Depart of Defense and making it look like I did it?
Worst case? Remote code execution with them being able to transverse directories.

Meaning that they can basicially get "into" your machine and hop around doing whatever they want, to whatever directory(providing it's not locked by the OS). And depending, using engines such as unreal which have unpatched integer bugs(probably the worst offender out there right now), do code execution. Overall, it's not any worse or better than the Uplay bug.

Just don't click on any random steam url's and you'll be fine.
 
--
"For every human problem,
there is a neat, simple solution;
and it is always wrong."
--H.L. Mencken
Reply Quote Edit Delete Report
 
69 Replies. 4 pages. Viewing page 2.
< Newer [ 1 2 3 4 ] Older >


footer

.. .. ..

Blue's News logo