10 year-old bug in Steam platform exposed 15 million users to remote code execution

10 year-old bug in Steam platform exposed 15 million users to remote code execution

10 year-old bug in Steam platform exposed 15 million users to remote code execution

A critical security vulnerability which existed for at least ten years in the Steam client could have exposed as many as 15 million active clients to remote code execution thanks to a lack of modern exploit protections, a security researcher has revealed.

The said vulnerability was fixed in April after Valve, the developer of Steam, was made aware of its presence by Tom Court, a security researcher at Context Information Security. According to Court, the fact that a relatively simple bug was allowed to linger inside one of world’s most popular software platforms should serve “as encouragement to all vulnerability researchers to find and report more of them”.

While the said bug, if exploited, could have enabled a hacker to carry out remote code execution on devices belonging to all 15 million Steam users, an update introduced by Valve in July last year introduced modern exploit protections which ensured that an exploitation of the bug would have resulted in just a system crash. However, the need of the hour was to patch the vulnerability once and for all.

“At its core, the vulnerability was a heap corruption within the Steam client library that could be remotely triggered, in an area of code that dealt with fragmented datagram reassembly from multiple received UDP packets.

“The bug was caused by the absence of a simple check to ensure that, for the first packet of a fragmented datagram, the specified packet length was less than or equal to the total datagram length.

“This seems like a simple oversight, given that the check was present for all subsequent packets carrying fragments of the datagram. Without additional info-leaking bugs, heap corruptions on modern operating systems are notoriously difficult to control to the point of granting remote code execution,” Court said.

He added that after observing an outbound (client->server) datagram being sent in order to learn the client/server IDs of the connection along with the sequence number, an attacker could spoof UDP packet source/destination IPs and ports as well as client/server IDs to ensure that malicious UDP packets are accepted by the client.

“The vulnerable code was probably very old, but as it was otherwise in good working order, the developers likely saw no reason to go near it or update their build scripts. The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards, even if the actual functionality of the code has remained unchanged,” Court added.

The presence of bugs like the one discovered by Court allows malicious actors to carry out malware infiltrations and DDoS attacks on popular software platforms such as Steam either to steal credentials or to disrupt operations. Back in 2016, security researchers from Kaspersky Lab discovered a malware dubbed Steam Stealer which stole users’ Steam configuration files and located the Steam KeyValue file for credentials and session data, thereby giving cyber criminals control over user accounts.

Account details of Steam users that were collected by the Steam Stealer malware were sold for as little as $15 on the Dark Web.

“The gaming community has become a highly desirable target for cyber criminals. There has been a clear evolution in the techniques used for infection and propagation, as well as the growing complexity of the malware itself, which has led to an increase in this type of activity,” said Santiago Pontiroli from Kaspersky Lab’s global research and analysis team.

“With gaming consoles adding more powerful components and the Internet of Things on our doorstep, this scenario looks like one that will continue to play out and become more complex,” he added, stating that developers should think about security early on when making games and platforms, and that cross-industry collaboration would help to keep the software secure.

Copyright Lyonsdown Limited 2021

Top Articles

Top 6 Mobile App-Related Data Breaches

Smartphones are a prevalent feature in modern life. With more than three billion smartphone users around the world, who downloaded over 200 billion apps in 2019, it comes as no…

Cyber-security blind spots in PaaS and IaaS environments

Research finds that 100% of companies experienced a security incident, but continue to expand their footprint

Popping the hood on deep learning

Now that cyber-criminals have learned how to compromise machine learning defences, deep learning provides a way forward for security teams

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]