14 DAY TRIAL // Security researchers Luigi Auriemma and Donato Ferrante of ReVuln have identified a vulnerability in the Steam Browser Protocol that could be leveraged by remote attackers to cause some serious damage. Their research was published in a paper called Steam Browser Protocol Insecurity.
The popular gaming platform uses the steam:// URL protocol in order to run, install and uninstall games, backup files, connect to servers and reach various sections dedicated to customers.
After testing various browsers, the experts have concluded that Mozilla and Safari are perfect for the “silent Stream Browser Protocol calls” needed to perform such an attack because they don’t warn users before executing the external URL handler.
On the other hand, Internet Explorer and Opera do warn users, but the “dodgy part” of the URL can be hidden by adding spaces into the Steam:// URL.
The researchers have found that not only these web browsers can be utilized for the calls to external protocol handlers. Steam browser and RealPlayer’s embedded browser are just as susceptible to an attack.
One of the attacks they have demonstrated relies on the retailinstall command that’s designed for installing and restoring backups from a local folder. A function that’s in charge of loading a splash image during this process contains an integer overflow vulnerability which could be leveraged by an attacker to run his malicious scripts.
Furthermore, the researchers have showed that the Steam Browser Protocol can also be used in attacks against the Source and Unreal engines.
Massive Multiplayer Online (MMO) games such as MicroVolts and All Points Bulletin can be exploited via the auto-update features by leveraging a directory traversal vulnerability.
However, these attacks can be mitigated. Users can protect themselves by utilizing web browsers that don’t allow the direct execution of the Steam Browser Protocol.
A solution that can be implemented by Steam refers to “avoiding to pass command-line arguments to third party software and undocumented commands accessible from external and untrusted sources.”
The researchers have concluded by highlighting the fact that Steam is a high-impact attack vector because it supports several platforms and it’s currently utilized by over 50 million users.
Here is the video proof-of-concept published by the researchers: