Nasty Bug Left All 125 Million Steam Users Vulnerable for Over 10 Years
Valve's popular video game platform, Steam, had a remote code execution (RCE) vulnerability that went unfixed for years, leaving millions of users vulnerable. Tom Court, a security researcher at Contextis, revealed the details of the bug that reportedly left all Steam users vulnerable for the past decade. The good news is that the bug has now been fixed by Valve.
"The keen-eyed, security conscious PC gamers amongst you may have noticed that Valve released a new update to the Steam client in recent weeks," Court wrote, adding that the update was to deliver the bug fix. "This bug could have been used as the basis for a highly reliable exploit," he said. "This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections."
Millions of Steam users were vulnerable to RCE bug
The vulnerability was a heap corruption within the Steam client library that could have been remotely triggered. Hackers could have exploited this vulnerability to execute code on the victim's machine remotely, taking full control of it. Court said that the bug existed in the Steam client for at least the last ten years and would have resulted in remote code execution in all 15 million active clients.
The bug was caused by the absence of a simple check to ensure that, for the first packet of a fragmented datagram, the specified packet length was less than or equal to the total datagram length. This seems like a simple oversight, given that the check was present for all subsequent packets carrying fragments of the datagram.
Without additional info-leaking bugs, heap corruptions on modern operating systems are notoriously difficult to control to the point of granting remote code execution. In this case, however, thanks to Steam’s custom memory allocator and (until last July) no ASLR on the steamclient.dll binary, this bug could have been used as the basis for a highly reliable exploit.
What's surprising is the fact that this nasty bug went unnoticed for over ten years.
“The fact that such a simple bug with such serious consequences has existed in such a popular software platform for so many years may be surprising to find in 2018 and should serve as encouragement to all vulnerability researchers to find and report more of them!” Court wrote in his report.
While Valve hasn't commented on this exploit, the company did acknowledge Court in the release notes of Steam client update sent on April 4, 2018.
Court has now published a proof of concept video showing the bug in practice where he launches an app on the victim's system after exploiting the bug. He did praise Valve for being prompt on the issue as they delivered the fix for the vulnerability after getting its report in less than 12 hours to the beta branch. The Steam bug was reported to Valve on February 20 followed by a fix for the stable branch releasing on March 22.
Here's the PoC: