Valve patches security flaw in Steam client hidden for more than 10 years

Shawn Knight

Posts: 12,522   +122
Staff member

Valve recently patched a bug in its Steam client that has quietly existed for at least the past decade. Until last July, it could have been used to remotely execute code according to the man who discovered it.

Security researcher Tom Court with Context Information Security reported the bug to Valve on February 20, 2018. In less than eight hours, he said, a patch had been dispatched to the beta client to address the matter. The official fix landed on the main Steam client in late March.

The vulnerability, at its core, was a heap corruption within the Steam client library in an area of code that handled fragmented datagram reassembly from multiple received UDP packets. Specifically, the bug was caused by the absence of a simple check to ensure that for the first packet of a fragmented datagram, the specified packet length was less than or equal to the total datagram length.

Court described it as a basic bug – likely a simple oversight considering the check was present for all subsequent packs – made relatively straightforward to exploit due to a lack of modern exploit protections. The fact that such a simple bug with such serious consequences has existed in such a popular platform for so many years, he added, should serve as a lesson to developers to periodically include aging code and system builds in reviews to ensure it conforms to modern security standards.

Once Valve started implementing ASLR last July, exploitation would have only caused a client crash.

Permalink to story.

 

ShagnWagn

Posts: 1,297   +1,081
I'm still bewildered, after all these years, that Steam thinks they need to run their client as a SERVICE in the operating system! There is absolutely NO reason to do this. Why do I want their client to run continually behind the scenes (completely hidden) and using up memory? Especially now we know there is yet another vulnerability? I disable the service and it still runs perfectly fine after all these years.
 
  • Like
Reactions: Godel

roberthi

Posts: 456   +139
Not surprising in the least. Valve is notorious for fixing things later if it ever even fixes something. Likely this was some function that was supposed to process and array, but started at 1. Amateur.
 

lipe123

Posts: 925   +489
I'm still bewildered, after all these years, that Steam thinks they need to run their client as a SERVICE in the operating system! There is absolutely NO reason to do this. Why do I want their client to run continually behind the scenes (completely hidden) and using up memory? Especially now we know there is yet another vulnerability? I disable the service and it still runs perfectly fine after all these years.
Uhm It's not a service on my computer, not sure why its like that for you.
 

ShagnWagn

Posts: 1,297   +1,081
Uhm It's not a service on my computer, not sure why its like that for you.
Are you running linux? ;)

You went into services.msc and it's not there? You can also run msconfig and go to the services tab and click "Hide MS.." and it should be easier to find. That will be odd if you don't have it. Every install of the steam client I've done puts it in there. Although I don't run Win10. Maybe they hide it in that OS? Wouldn't surprise me.
 
S

senketsu

I'm running Win 10 Pro, In the Task Manager I looked and lo and behold, Steam Client Service 'Suspended'. This was on a computer started in the morning and no games played.
I then opened Steam and it changed to running. I closed Steam and the service runs until I find it on the task bar and close it. Now it has gone to 'stopped'.
 

jobeard

Posts: 13,957   +1,774
BTW; Buffer overflow is a common programming mistake and it can occur in any code doing IO. The most common way this occurs is with GETS() reading to the end-of-the-line character.