10 year-old bug in Steam platform exposed 15 million users to hackers
Threats / 10 year-old bug in Steam platform exposed 15 million users to remote code execution
1 June 2018
A critical security vulnerability which existed for at least ten years in the Steam client could have exposed as many as 15 million active clients to remote code execution thanks to a lack of modern exploit protections, a security researcher has revealed.
The said vulnerability was fixed in April after Valve, the developer of Steam, was made aware of its presence by Tom Court, a security researcher at Context Information Security. According to Court, the fact that a relatively simple bug was allowed to linger inside one of world’s most popular software platforms should serve “as encouragement to all vulnerability researchers to find and report more of them”.
While the said bug, if exploited, could have enabled a hacker to carry out remote code execution on devices belonging to all 15 million Steam users, an update introduced by Valve in July last year introduced modern exploit protections which ensured that an exploitation of the bug would have resulted in just a system crash. However, the need of the hour was to patch the vulnerability once and for all.
“At its core, the vulnerability was a heap corruption within the Steam client library that could be remotely triggered, in an area of code that dealt with fragmented datagram reassembly from multiple received UDP packets.
“The bug was caused by the absence of a simple check to ensure that, for the first packet of a fragmented datagram, the specified packet length was less than or equal to the total datagram length.
“This seems like a simple oversight, given that the check was present for all subsequent packets carrying fragments of the datagram. Without additional info-leaking bugs, heap corruptions on modern operating systems are notoriously difficult to control to the point of granting remote code execution,” Court said.
He added that after observing an outbound (client->server) datagram being sent in order to learn the client/server IDs of the connection along with the sequence number, an attacker could spoof UDP packet source/destination IPs and ports as well as client/server IDs to ensure that malicious UDP packets are accepted by the client.
“The vulnerable code was probably very old, but as it was otherwise in good working order, the developers likely saw no reason to go near it or update their build scripts. The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards, even if the actual functionality of the code has remained unchanged,” Court added.
The presence of bugs like the one discovered by Court allows malicious actors to carry out malware infiltrations and DDoS attacks on popular software platforms such as Steam either to steal credentials or to disrupt operations. Back in 2016, security researchers from Kaspersky Lab discovered a malware dubbed Steam Stealer which stole users’ Steam configuration files and located the Steam KeyValue file for credentials and session data, thereby giving cyber criminals control over user accounts.
Account details of Steam users that were collected by the Steam Stealer malware were sold for as little as $15 on the Dark Web.
“The gaming community has become a highly desirable target for cyber criminals. There has been a clear evolution in the techniques used for infection and propagation, as well as the growing complexity of the malware itself, which has led to an increase in this type of activity,” said Santiago Pontiroli from Kaspersky Lab’s global research and analysis team.
“With gaming consoles adding more powerful components and the Internet of Things on our doorstep, this scenario looks like one that will continue to play out and become more complex,” he added, stating that developers should think about security early on when making games and platforms, and that cross-industry collaboration would help to keep the software secure.