code injection, steam chat client
State Resolved (Closed)
Disclosed publicly 2019-01-07T20:01:32.520Z
Reported To
Weakness Code Injection
Bounty $750
Collapse


Timeline
submitted a report to Valve .
2018-09-19T03:54:17.233Z

The steam chat client allows oEmbed, apparently based on a whitelist. One of the whitelisted oEmbedis codepen. When a codepen is created, it can be sent as a link to another steam user, and the code inside the codepen will execute within the privileged Steam Chat context.

You can send these codepen links to someone and they'll perform some action when you open them

https://codepen.io/zemnmez/pen/mGQvvq this one pops calc.exe
https://codepen.io/zemnmez/pen/eLLYLr this opens a ton of windows
https://codepen.io/zemnmez/pen/pOQBYa this one opens team fortress 2

Impact

While poking around inside this context I noticed a few things:

  1. steam:// links are executed in a privileged mode not normally accessible in the steamwebhelper. steam://uris are executed immediately, and in most contexts without confirmation. This codepen, if sent to a user will immediately run Team Fortress 2 when clicked, if installed: https://codepen.io/zemnmez/pen/zJMeYe (you can use the same technique with runsafe to nuke a user's settings).

Since there is no confirmation here, I strongly believe with some extra research a game could be opened with command line parameters and no confirmation that results in remote code execution as in this paper. Anything that otherwise happens with no confirmation, such as play / pausing music and accepting guest passes is controllable by this method.

  1. All custom-protocol urls are executed, including windows internal protocol urls. the jarfile:[FILEPATH] [PARAMS] form can be used to run any java program on their PC, same with wscript.exe and .js or .vbs files via the JSEFile: protocol. In windows, every file format has its own custom protocol which is used internally to execute files of that format.

  2. A SteamClient API is exposed via the JS VM to the browsing context. Ordinarily this API is very slim (perhaps for security purposes), but by using open('chrome-devtools://devtools/bundled/inspector.html') to open a url that doesn't open in the browser we can spawn a new window with fewer restrictions. From here we can read the user's cursor position, move the window around, make it bigger smaller, paste (though I couldn't get the API to work for this) and generally be a nuisance. I feel very sure there are APIs I can abuse here, but I've had a hard time finding them.

Regards,
Frans

  • 0 attachments:
zemnmez Activities::Comment
2018-09-23T12:44:48.041Z
alright. I did some more sleuthing today, and volia! remote code execution: https://codepen.io/zemnmez/pen/pOBVao?editors=1010


fidgetspinner Activities::Comment
2018-09-25T06:02:22.283Z
Hi @zemnmez, Thanks for your submission. We are currently reviewing your report and will get back to you once we have additional information to share. Kind regards, @fidgetspinner


jonp Activities::BugTriaged
2018-10-02T00:14:23.171Z


jonp Activities::ReportSeverityUpdated
2018-10-02T00:14:58.971Z


jonp Activities::ReportSeverityUpdated
2018-10-06T00:41:06.354Z


Activities::BountyAwarded
2018-10-06T00:42:08.222Z
The higher-severity components of this issue really depend on issue #409850, which is why we've adjusted the severity on this report.


jonp Activities::BugResolved
2018-10-06T00:42:20.945Z
Thanks for the report! We have deployed a fix to our production systems. Please let us know if you are still able to reproduce the issue.


zemnmez Activities::Comment
2018-10-06T20:25:18.380Z
thank you so much!! I will take a look soon. i am clearing up my room today


zemnmez Activities::Comment
2018-10-06T20:25:36.595Z
thank you so much!! I will take a look soon. i am busy today :)


zemnmez Activities::AgreedOnGoingPublic
2019-01-03T14:42:48.350Z


bgilmore Activities::AgreedOnGoingPublic
2019-01-07T20:01:32.436Z


bgilmore Activities::ReportBecamePublic
2019-01-07T20:01:32.548Z