Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:

Regularly scheduled events

Firm Says Steam URLs Exploitable

Startup vulnerability research and consultancy firm ReVuln says the way Steam handles steam:// protocol URLs leaves users open to having vulnerabilities in Steam and their game exploited, reports Computerworld, who say their request for comment on this was not immediately fulfilled by Valve (thanks Ant). A proof-of-concept trailer shows what they are talking about, and here's a bit:

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.

"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."

Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email.

View
19. This goes way beyond being a browser exploit. Oct 17, 2012, 17:07 hb3d
 
Mashiki Amiketo wrote on Oct 17, 2012, 13:24:
Looking at this a bit more, it appears that unless you've been able to compromise the machine before hand and lay a batch file(and know what games are installed). This is pretty much useless, so if someone has already compromised the machine that far. You've got other things to worry about than steam urls.

Though I might have missed something.
You missed a lot. Read the whole article (slowly for you) on Computerworld. This goes way beyond being a browser exploit. The browser is just used an attack vector into the Steam client itself and Source engine games. See "The researchers released a video in which they demonstrate how steam:// URLs can be used to remotely exploit some vulnerabilities they found in the Steam client and popular games." Valve's wonderful security triumphs again. I wonder if we will see Half-Life 3 source code soon.

In a different example, a steam:// URL can be used to execute legitimate commands found in Valve's Source game engine in order to write a .bat file with attacker-controlled content inside of Windows Startup folder. Files located in the Windows Startup directory are automatically executed when users log in.
That is really, really bad. As bad or worse than that Uplay exploit everyone bashed Ubisoft over (but not the researcher who found the exploit, hypocrites), but was fixed in a day or less. At least that exploit only affected users with the installed plug-in. This attack affects all browsers and Steam client users and since it can be scripted with Javascript, it is relatively easy to implement and get past the user especially on some browsers and settings.

This comment was edited on Oct 17, 2012, 18:08.
 
Previous Post Next Post Reply Quote Edit Delete Report
 
    Date Subject Author
  1. Oct 17, 11:29 Re: Firm Says Steam URLs Exploitable Verno
  2. Oct 17, 11:32  Re: Firm Says Steam URLs Exploitable descender
  4. Oct 17, 11:40   Re: Firm Says Steam URLs Exploitable Kajetan
  3. Oct 17, 11:39 Re: Firm Says Steam URLs Exploitable Verno
  5. Oct 17, 11:50 Re: Firm Says Steam URLs Exploitable Jivaro
  6. Oct 17, 11:52  Re: Firm Says Steam URLs Exploitable descender
  8. Oct 17, 11:55  Re: Firm Says Steam URLs Exploitable Creston
  9. Oct 17, 12:10  Re: Firm Says Steam URLs Exploitable Mashiki Amiketo
  7. Oct 17, 11:53 Re: Firm Says Steam URLs Exploitable Creston
  14. Oct 17, 12:47  Re: Firm Says Steam URLs Exploitable bozu
  10. Oct 17, 12:19 Re: Firm Says Steam URLs Exploitable Verno
  11. Oct 17, 12:29  Re: Firm Says Steam URLs Exploitable deqer
  18. Oct 17, 16:10   Re: Firm Says Steam URLs Exploitable Kosumo
  21. Oct 17, 17:47    Re: Firm Says Steam URLs Exploitable Prez
  23. Oct 17, 17:52     Re: Firm Says Steam URLs Exploitable hb3d
  22. Oct 17, 17:49    It is hard to get a reply from Valve. hb3d
  26. Oct 17, 18:24    Re: Firm Says Steam URLs Exploitable Verno
  28. Oct 17, 18:30     Re: Firm Says Steam URLs Exploitable Prez
  30. Oct 17, 18:49      Re: Firm Says Steam URLs Exploitable Mashiki Amiketo
  31. Oct 17, 19:41       That is NOT enough. hb3d
  33. Oct 17, 19:51        Re: That is NOT enough. Prez
  34. Oct 17, 19:53         Re: That is NOT enough. hb3d
  35. Oct 17, 19:58          Re: That is NOT enough. Prez
  36. Oct 17, 20:02           Re: That is NOT enough. hb3d
  37. Oct 17, 20:15           Re: That is NOT enough. nin
  38. Oct 17, 20:19        Re: That is NOT enough. Mashiki Amiketo
  39. Oct 17, 20:26         You are wrong again. hb3d
  40. Oct 17, 20:30          Re: You are wrong again. Mashiki Amiketo
  41. Oct 17, 20:35           Re: You are wrong again. hb3d
  43. Oct 17, 20:43            Re: You are wrong again. Sepharo
  44. Oct 17, 20:48             No subject hb3d
  47. Oct 17, 21:09              Re: Firm Says Steam URLs Exploitable Sepharo
  48. Oct 17, 21:22               It's good advice but not foolproof. hb3d
  49. Oct 17, 21:26                Re: It's good advice but not foolproof. Sepharo
  50. Oct 17, 21:29                 Re: It's good advice but not foolproof. Sepharo
  51. Oct 17, 21:31                  Re: It's good advice but not foolproof. nin
  52. Oct 17, 21:40                   Re: It's good advice but not foolproof. Prez
  53. Oct 17, 22:13                    I hate hypocrisy and blind bias. hb3d
  55. Oct 17, 22:29                     Re: I hate hypocrisy and blind bias. Prez
  56. Oct 17, 22:44                     Re: I hate hypocrisy and blind bias. Dades
  54. Oct 17, 22:15                    Re: It's good advice but not foolproof. nin
  57. Oct 18, 07:58                     Re: It's good advice but not foolproof. TheVocalMinority
  58. Oct 18, 08:53                  Re: It's good advice but not foolproof. Verno
  12. Oct 17, 12:41  Re: Firm Says Steam URLs Exploitable theyarecomingforyou
  13. Oct 17, 12:44 Re: Firm Says Steam URLs Exploitable Verno
  15. Oct 17, 13:24 Re: Firm Says Steam URLs Exploitable Mashiki Amiketo
>> 19. Oct 17, 17:07  This goes way beyond being a browser exploit. hb3d
  20. Oct 17, 17:35   Re: This goes way beyond being a browser exploit. BobBob
  24. Oct 17, 17:55   Re: This goes way beyond being a browser exploit. Mashiki Amiketo
  25. Oct 17, 17:58    Re: This goes way beyond being a browser exploit. hb3d
  27. Oct 17, 18:27     Re: This goes way beyond being a browser exploit. Mashiki Amiketo
  32. Oct 17, 19:47      It's not hard. You simply guess. hb3d
  16. Oct 17, 14:17 Re: Firm Says Steam URLs Exploitable LC
  17. Oct 17, 15:13 Re: Firm Says Steam URLs Exploitable jamiedj99
  63. Oct 18, 13:19  Re: Firm Says Steam URLs Exploitable LaxerFL
  29. Oct 17, 18:45 Re: Firm Says Steam URLs Exploitable Closed Betas
  42. Oct 17, 20:42 Re: Firm Says Steam URLs Exploitable Sepharo
  45. Oct 17, 20:51 Re: Firm Says Steam URLs Exploitable pacbowl
  46. Oct 17, 20:54  Re: Firm Says Steam URLs Exploitable hb3d
  59. Oct 18, 10:44 Re: Firm Says Steam URLs Exploitable Dev
  60. Oct 18, 10:55 Re: Firm Says Steam URLs Exploitable avianflu
  62. Oct 18, 11:20  Re: Firm Says Steam URLs Exploitable Verno
  65. Oct 18, 15:36  Re: Firm Says Steam URLs Exploitable descender
  66. Oct 18, 16:40   Re: Firm Says Steam URLs Exploitable Prez
  67. Oct 18, 17:58    Re: Firm Says Steam URLs Exploitable Dev
  68. Oct 19, 00:13     Re: Firm Says Steam URLs Exploitable Prez
  69. Oct 19, 10:32    Re: Firm Says Steam URLs Exploitable Mr. Tact
  61. Oct 18, 11:01 Re: Firm Says Steam URLs Exploitable Dev
  64. Oct 18, 15:30 Re: Firm Says Steam URLs Exploitable descender


footer

.. .. ..

Blue's News logo