In my previous post I talked about a vulnerability in Steam which allows you to bypass UAC. I’m going to be totally transparent here: I fucked up. I wrote the draft post a few days back, then did some more work on the vulnerability. I discovered something much more serious in the process. I posted last night’s blog post at 1am, tired as hell, and in my sleep-deprived state I completely neglected to update it properly, and there are several mistakes and bits of missing information. The draft went out and confused a lot of people. So, for that, I apologise. I’m going to leave it there so people can see it, because it’ll remind me not to do that next time.
Now, onto the real impact of the vulnerability: I can leverage it to gain code execution as SYSTEM. How? Well, it turns out that Steam.exe gives itself one unusual privilege – the privilege to debug other processes. This is called SeDebugPrivilege and one of its features is that it allows the process to bypass access control lists (ACLs) on processes when you call OpenProcess, i.e. the process can open a handle to any process it likes, with any privilege it likes.
Here’s how you can elevate to SYSTEM when you have SeDebugPrivilege:
- Open a handle to a process that is running as SYSTEM, with
PROCESS_ALL_ACCESSas the access flag. - Use
VirtualAllocExto allocate a block of memory in the remote process, with the executable flag set. - Use
WriteProcessMemoryto copy a block of shellcode into that memory buffer. - Use
CreateRemoteThreadto create a new thread in the remote process, whose start address is the base address of the memory allocation. - Bingo! You just got a privesc to SYSTEM.
In this case, once you’ve got code execution inside Steam, you can utilise this trick to escalate yourself to SYSTEM. There’s your privesc vuln.
codeinsecurity 