Hands Up - This is a PC-jacking! The Wonders of Steam Browser Protocol Vulnerability.




 For our readers who are unaware of the wonder that is 'Steam', here's a small description of how it influences our life. Steam is a digital distribution and digital rights management platform for games and various other softwares and can run on Windows, MacOS X and Linux. The company, Valve Corporation, that owns it says that Steam offers over 2,000 titles and has more than 40 million active user accounts.


When a user clicks on a steam:// URL in a program, the URL is passed to Steam client for execution which means that it registers itself as a steam:// URL protocol handler when it is installed on a system. This Steam:// URL consists of steam protocol commands which enable the system to install/uninstall, update and backup files amongst many other supported actions.

It sounds simple enough until attackers start exploiting these commands or vulnerabilities to remotely control your PC.

Security Researchers and Founders at ReVuln, Luigi Auriemma and Donato Ferrante, state in their report that attackers can exploit vulnerabilities in the Steam client or the games installed through the program resulting from the way browsers and other applications automatically divert steam:// protocol URLs to the Steam client without asking for confirmation or permission from the user.



Different browsers tend to respond differently to the steam:// URL. Internet Explorer 9, Google Chrome and Opera flash warnings to the user along with the full or partial steam:// URLs before the transferring them to the Steam client for execution. Firefox requests user confirmation only. And in this competition, Safari comes out as the weakest of the lot, by automatically executing steam:// URLs without asking for permissions from the user (feeling a bit rebellious, are we?)

“Mac OS is the secondary platform used on Steam and many games are available for this platform so it has a wide user base,” Auriemma said. Hence, proving that Mac OS is more prone to such attacks.


The Geniuses of ReVuln state:

“All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls,” the researchers said. “Additionally for browsers like Internet Explorer and Opera it’s still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself.”

Attackers can also use JavaScript code inscribed on malicious pages to redirect browsers to URLs such as steam:// URL.
Normally, browsers are subservient to their masters (us) and they ask for permission for every single deed that they do. But some of us change our browser settings and allow the URLs to automatically execute their purpose by default through the Steam client.

According to Auriemma;
"It’s highly possible that many gamers already have the steam:// links directly executed in the browser to avoid the annoyance of confirming them all the time.”
You can also be a witness to this awesomely frightening new revelation by clicking here to view the video released by the researchers in which they have also explaining how a user can be vulnerable to threats via Steam vulnerabilities and game portals.
If we take an example of how Steam protocol can be used, here's a tip for you. The Steam protocol's "reinstall" command can load a malformed TGA splash image file exploiting Steam client vulnerabilities to execute malicious code in the context of its process.
In another example exploiting the same steam:// URL vulnerability, the attacker can execute legitimate commands in Valve's Source Game Engine to write a .bat format file with attacker-controlled content inside of Windows Startup folder. Files within the Windows Startup directory are automatically triggered when users log in. The Source Game Engine is quite a hit with the players who spend hours on Half-Life, Counter-Strike and Team Fortress. These games alone are massive hits and have tens of thousands of users playing it all the time. Games like APB Reloaded and MicroVolts are also prone to being abused via steam:// URLs through the auto-update feature.
Apart from Stream, another game engine known as Unreal is known to be vulnerable as well. 

According to ReVuln researchers;
"Another popular game engine called Unreal supports the loading of files from remote WebDAV or SMB shared directories through command line parameters. A rogue steam:// URL can be used to load a malicious file from such a location that exploits one of the many integer overflow vulnerabilities found in the game engine to execute malicious code."

How to Protect Yourself?



Users can protect themselves being PC-hijacked by disabling the steam:// URL protocol handler manually or with an application with the sole purpose of disabling it. The easiest way would be to use a browser that doesn't automatically, without permission from the user execute steam:// URLs. 
Auriemma says, “The downside is that the gamers who use these links locally (shortcuts) or online (web browser) to join servers or use other features of this protocol will be unable to use them.”
At another point he stated, "In our opinion Valve must remove the passing of command-line parameters to games because it’s too dangerous and they can’t control how these third parties software can act with malformed parameters.”
Valve hasn't commented on the security matter at hand.
“In the recent months Valve invested a lot in the Steam platform launching the beta version of Steam for Linux, adding the GreenLight service where users can vote what games they would like to see available on Steam, added the Software section, added more games and some highlighted games available full for limited time, tons of free-to-play games and much more,” the researcher said. “There was no better moment to notice these issues than now.”
Cheers!
About The Author

This article is written by Sindhia Javed Junejo. She is one of the core members of RHA team.