A critical bug, which has existed for at least 10 years in the Steam client, could have allowed attackers to remotely execute malicious code in “all 15 million active clients.” Put another way by Motherboard, 125 million Steam gamers were vulnerable to attacks in which attackers could have remotely controlled their machines.
While Valve did patch the massive vulnerability, Tom Court, a security researcher at Context Information Security, released the details about the remote code execution (RCE) bug that affected all versions of the Steam gaming client.
According to Court, it was “a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections.”
The flaw was a “heap corruption within the Steam client library that could be remotely triggered.” The Steam client communicated via its Steam protocol delivered on top of UDP (User Datagram Protocol) packets. Court determined that an attacker needed only to send malformed UDP packets to a gamer’s Steam client to trigger the flaw and then run malicious code on his or her computer.
Although the critical bug has been lurking in all versions of the Steam client for the last decade, Court noted that Valve implemented modern ASLR exploit protections in the Steam source code last July. The addition of the security feature meant that the bug would only crash the Steam client if it was exploited; RCE, however, was still possible “in combination with a separate info-leak vulnerability.”
You can see the attack in action in the video below:
On the bright side, a mere 8 hours after Court contacted the Valve security team in February, a fix had been pushed to the beta branch of the Steam client. The fix was pushed to the stable branch of the Steam client about a month later. On the imaginary “Context fastest-to-fix leaderboard,” Valve holds the top spot – a “welcome change from the often-lengthy back-and-forth process often encountered when disclosing to other vendors.”
Valve said it has no indication that malicious attackers exploited the vulnerability.
Court noted that “the vulnerable code was probably very old, but as it was otherwise in good working order, the developers likely saw no reason to go near it or update their build scripts. The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards, even if the actual functionality of the code has remained unchanged.”
The fact that such a simple bug with such serious consequences has existed in such a popular software platform for so many years may be surprising to find in 2018 and should serve as encouragement to all vulnerability researchers to find and report more of them!
If you want the nitty gritty, then Court delved into the technical details in a blog post titled: “Frag Grenade! A Remote Code Execution Vulnerability in the Steam Client.”