code injection, steam chat client
State Resolved (Closed)
Disclosed publicly 2019-01-07T20:01:32.520Z
Reported To
Weakness Code Injection
Bounty $750

submitted a report to Valve .

The steam chat client allows oEmbed, apparently based on a whitelist. One of the whitelisted oEmbedis codepen. When a codepen is created, it can be sent as a link to another steam user, and the code inside the codepen will execute within the privileged Steam Chat context.

You can send these codepen links to someone and they'll perform some action when you open them this one pops calc.exe this opens a ton of windows this one opens team fortress 2


While poking around inside this context I noticed a few things:

  1. steam:// links are executed in a privileged mode not normally accessible in the steamwebhelper. steam://uris are executed immediately, and in most contexts without confirmation. This codepen, if sent to a user will immediately run Team Fortress 2 when clicked, if installed: (you can use the same technique with runsafe to nuke a user's settings).

Since there is no confirmation here, I strongly believe with some extra research a game could be opened with command line parameters and no confirmation that results in remote code execution as in this paper. Anything that otherwise happens with no confirmation, such as play / pausing music and accepting guest passes is controllable by this method.

  1. All custom-protocol urls are executed, including windows internal protocol urls. the jarfile:[FILEPATH] [PARAMS] form can be used to run any java program on their PC, same with wscript.exe and .js or .vbs files via the JSEFile: protocol. In windows, every file format has its own custom protocol which is used internally to execute files of that format.

  2. A SteamClient API is exposed via the JS VM to the browsing context. Ordinarily this API is very slim (perhaps for security purposes), but by using open('chrome-devtools://devtools/bundled/inspector.html') to open a url that doesn't open in the browser we can spawn a new window with fewer restrictions. From here we can read the user's cursor position, move the window around, make it bigger smaller, paste (though I couldn't get the API to work for this) and generally be a nuisance. I feel very sure there are APIs I can abuse here, but I've had a hard time finding them.


  • 0 attachments:
zemnmez Activities::Comment
alright. I did some more sleuthing today, and volia! remote code execution:

fidgetspinner Activities::Comment
Hi @zemnmez, Thanks for your submission. We are currently reviewing your report and will get back to you once we have additional information to share. Kind regards, @fidgetspinner

jonp Activities::BugTriaged

jonp Activities::ReportSeverityUpdated

jonp Activities::ReportSeverityUpdated

The higher-severity components of this issue really depend on issue #409850, which is why we've adjusted the severity on this report.

jonp Activities::BugResolved
Thanks for the report! We have deployed a fix to our production systems. Please let us know if you are still able to reproduce the issue.

zemnmez Activities::Comment
thank you so much!! I will take a look soon. i am clearing up my room today

zemnmez Activities::Comment
thank you so much!! I will take a look soon. i am busy today :)

zemnmez Activities::AgreedOnGoingPublic

bgilmore Activities::AgreedOnGoingPublic

bgilmore Activities::ReportBecamePublic