Attackers can abuse the way browsers and other applications handle steam:// protocol URLs in order to exploit serious vulnerabilities in the Steam client or games installed through the platform, according to researchers from startup vulnerability research and consultancy firm ReVuln.
Steam is a popular digital distribution and digital rights management platform for games and, since earlier this month, other software products. According to Valve Corporation, the company that developed and operates the platform, Steam offers over 2,000 titles and has over 40 million active accounts.
The Steam client can run on Windows, Mac OS X and Linux, although as a beta version only in the latter OS.
When the Steam client is installed on a system, it registers itself as a steam:// URL protocol handler. This means that every time a user clicks on a steam:// URL in a browser or a different application, the URL is passed to the Steam client for execution.
Steam:// URLs can contain Steam protocol commands to install or uninstall games, update games, start games with certain parameters, backup files or perform other supported actions.
Attackers can abuse these commands to remotely exploit vulnerabilities in the Steam client or the Steam games installed on a system by tricking users into opening maliciously crafted steam:// URLs, ReVuln security researchers and founders Luigi Auriemma and Donato Ferrante said in research paper published on Monday.
The problem is that some browsers and applications automatically pass steam:// URLs to the Steam client without asking for confirmation from users, the researchers said. Other browsers do request user confirmation, but don't display the full URLs or warn about the dangers of allowing such URLs to be executed.
According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.
"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."
Browsers that require user confirmation for steam:// URL execution by default usually provide users with an option to change this behavior and have the URLs automatically executed by the Steam client, Auriemma said. " It's highly possible that many gamers already have the steam:// links directly executed in the browser to avoid the annoyance of confirming them all the time."
The researchers released a video in which they demonstrate how steam:// URLs can be used to remotely exploit some vulnerabilities they found in the Steam client and popular games.
For example, the Steam protocol's "retailinstall" command can be used to load a malformed TGA splash image file that exploits a vulnerability in the Steam client to execute malicious code in the context of its process, the researchers said.
In a different example, a steam:// URL can be used to execute legitimate commands found in Valve's Source game engine in order to write a .bat file with attacker-controlled content inside of Windows Startup folder. Files located in the Windows Startup directory are automatically executed when users log in.
The Source game engine is used in many popular games including Half-Life, Counter-Strike and Team Fortress that have tens of millions of players.
Another popular game engine called Unreal supports the loading of files from remote WebDAV or SMB shared directories through command line parameters. A rogue steam:// URL can be used to load a malicious file from such a location that exploits one of the many integer overflow vulnerabilities found in the game engine to execute malicious code, the ReVuln researchers said.
The auto-update feature found in some games like APB Reloaded or MicroVolts can also be abused through steam:// URLs to create files with attacker-controlled content on the disk.
In order to protect themselves users can disable the steam:// URL protocol handler manually or with a specialized application, or can use a browser that doesn't automatically execute steam:// URLs, Auriemma said. "The downside is that the gamers who use these links locally (shortcuts) or online (web browser) to join servers or use other features of this protocol will be unable to use them."
Because Safari is one of the browsers that automatically executes steam:// URLs, Mac OS X users, which represent the majority of the browser's user base, might be more exposed to such attacks. "Mac OS is the secondary platform used on Steam and many games are available for this platform so it has a wide user base," Auriemma said.
"In our opinion Valve must remove the passing of command-line parameters to games because it's too dangerous and they can't control how these third parties software can act with malformed parameters," the researcher said.
Valve did not immediately return a request for comment.
Earlier this month Valve started to distribute select non-gaming software titles through Steam. Vulnerabilities found in such applications might also be exploitable through steam:// URLs, Auriemma said.
"In the recent months Valve invested a lot in the Steam platform launching the beta version of Steam for Linux, adding the GreenLight service where users can vote what games they would like to see available on Steam, added the Software section, added more games and some highlighted games available full for limited time, tons of free-to-play games and much more," the researcher said. "There was no better moment to notice these issues than now."