{"id":28593,"date":"2019-08-21T19:31:48","date_gmt":"2019-08-21T19:31:48","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/30423\/Researcher-Publishes-Second-Steam-Zero-Day.html"},"modified":"2019-08-21T19:31:48","modified_gmt":"2019-08-21T19:31:48","slug":"researcher-publishes-second-steam-zero-day","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/researcher-publishes-second-steam-zero-day\/","title":{"rendered":"Researcher Publishes Second Steam Zero Day"},"content":{"rendered":"

\"steam.png\"<\/span><\/p>\n

A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks.<\/p>\n

However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn’t do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform.<\/p>\n

Valve gets criticized<\/h3>\n

The entire chain of events behind the public disclosure of these two zero-days has caused quite a drama and discussions in the infosec community.<\/p>\n

All the negative comments have been aimed at Valve and the HackerOne staff, with both being acused of unprofessional behavior.<\/p>\n

\n
\n

i am disappointed that valve does this kinda stuff https:\/\/t.co\/z1JPKJmHhQ<\/a><\/p>\n

\u2014 D\u0315\u0312\u0342\u1d48a\u0306\u1d43n\u0315\u1db0 T\u030c\u0360\u033e\u033e\u0313\u0350\u0352\u1d57e\u0357\u0311\u0361\u0341\u030b\u0302\u0341\u1d49n\u0305\u1db0t\u1d57l\u0340\u0313\u0358\u1dabe\u0343\u0312\u0302\u031a\u1d49r\u02b3 (@Viss) August 21, 2019<\/a><\/p><\/blockquote>\n<\/div>\n

Security researchers and regular Steam users alike are mad because Valve refused to acknowledge the reported issue as a security flaw, and declined to patch it.<\/p>\n

When the security researcher — named Vasily Kravets– wanted to publicly disclose the vulnerability, a HackerOne staff member forbade him from doing so, even if Valve had no intention of fixing the issue — effectively trying to prevent the researcher from letting users know there was a problem with the Steam client at all.<\/p>\n

Kravets did eventually publish details about the Steam zero-day<\/a>, which was an elevation of privilege (also known as a local privilege escalation) bug that allowed other apps or malware on a user’s computer to abuse the Steam client to run code with admin rights.<\/p>\n

\n<\/section>\n

Kravets said he was banned from the platform following the public disclosure of the first zero-day. His bug report was heavily covered in the media, and Valve did eventually ship a fix, more as a reaction to all the bad press the company was getting.<\/p>\n

The patch was almost immediatelly proved to be insufficient, and another security researcher found an easy way to go around it almost right away.<\/p>\n

Valve bungled the same bug report twice<\/h3>\n

Furthermore, a well-known and highly respected security researcher named Matt Nelson also revealed he found the same exact bug, but after Kravets, which he too reported to Valve’s HackerOne program, only to go through a similar bad experience as Kravets.<\/p>\n

Nelson said Valve and HackerOne took five days to acknowledge the bug, refused to patch it, and then locked the bug report when Nelson wanted to disclose the bug publicly and warn users.<\/p>\n

Nelson later released proof-of-concept code for the first Steam zero-day, and also criticized Valve and HackerOne for their abysmall handling of his bug report.<\/p>\n

\n
\n

The company at fault here is Valve (Steam). Good luck reporting anything that doesn\u2019t fit their crappy bounty scope. https:\/\/t.co\/vLHmTQ0qmq<\/a><\/p>\n

\u2014 Matt Nelson (@enigma0x3) July 8, 2019<\/a><\/p><\/blockquote>\n<\/div>\n

\n
\n

I’d like to take this Valve fiasco and highlight a few points:
1. Don’t scope your program so tightly that it completely removes things like LPE
2. If you do, give researchers a place to go that isn’t Twitter.
3. Don’t lock an issue when disclosure is mentioned pic.twitter.com\/lygNLkiUiz<\/a><\/p>\n

\u2014 Matt Nelson (@enigma0x3) August 12, 2019<\/a><\/p><\/blockquote>\n<\/div>\n

Second Steam zero-day disclosed today<\/h3>\n

Today, Kravets published details about a second Valve zero-day, which is another EoP\/LPE in the Steam client, allowing malicious apps to gain admin rights through Valve’s Steam app. Demos of the second Steam zero-day are embedded below, and a technical write-up is available on Kravets’ site<\/a>.<\/p>\n

\n