Researcher shut out of bounty program releases 2nd disclosure publicly

Valve recently issued fixes for the privilege escalation vulnerabilities that were discovered on its Steam client on their beta channel by security researcher Vasily Kravets.

Kravets released the discovery of the zero-day exploit after being shut out of Valve’s HackerOne bug bounty program.

The company has now acknowledged its mistake and revised its rules to explicitly state that these issues are in scope and should be reported.

This all came about after Vasily Kravets and colleague previously disclosed another zero-day discovery two weeks ago that was disputed by Valve.

The flaw, known as CVE-2019-14743, affects Windows versions of the client and concerns a privilege escalation bug that makes it possible for other apps and potentially malware on a user’s computer to run code with system privileges. As a result, a threat actor could exploit this vulnerability remotely and execute malicious code on the target device by using Steam’s system rights and elevating its permissions.

 “Achieving maximum privileges can lead to much more disastrous consequences,” Kravets wrote. “For example, disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft [of] any PC user’s private data — is just a small portion of what could be done.”

The Steam storefront has over 90 million active monthly users, with Windows users accounting for nearly 97 percent of all digital PC game downloads.

Although Valve initially declined to resolve the first vulnerability issue, Kravets’ public disclosure of the zero-day exploit prompted the company to issue a fix on August 9, 2019. Unfortunately, the patch issued didn’t solve the problem. Researcher Xiaovin Liu wrote a detailed write-up explaining how the fix could be bypassed in order to exploit the flaw again.

The second zero-day exploit that was found stems from leveraging its admin permissions to make changes to the Steam installation folder structure and injecting a malicious executable.

Kravets sums up the issue of Valve’s indifferent attitude to privilege escalation perfectly. “It is rather ironic that a launcher, which is actually designed to run third-party programs on your computer, allows them to silently get a maximum of privileges,” Kravets noted. “Are you sure that a free game made of garbage by an unknown developer will behave honestly?”

Let’s hope this most recent patch successfully patches the exploit.

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648