Full Report
Steam remote play is a peer-to-peer system for playing video. The author of this video reverse engineered the protocol to understand how it worked, build a fuzzer and find fun vulnerabilities in it. The remote play protocol was mostly using protobufs. Luckily for the author, many of this information was kept in a Github repo. There are various ways to perform networking, from webRTC to UDP but the author choose to use UDP because of its simplicity. For more details on how the protocol works, with headers, authentication, channels and things, read the post. To interact with the project, the author built their own client and server implementation. An initial issue they ran into was that the session info for the session would have already been derived. They used a x32dbg script to automatically inject the key into the running process then use it on their client. Another issue they had was forcing the client to use the UDP connections. By changing advertising parameters to ONLY include this, the server would always choose UDP. With a client and fuzzer built, the author setup a fuzzer. Since this uses protobuf, the fuzzer had to be grammer aware, which they created their own engine for. For strings, they added in weird things like paths, URLs, XML and more. For integers, they added in interesting sizes like powers of 2, negative numbers and more. They even randomly dropped random optional fields. Some of the connection types were stateless while others were stateful. Because of this, they built a replay system and logging system to see what was going on. Additionally, a scenario system to test various stateful actions to interact with the system or reproduce bugs. One issue I've had with stateful fuzzing in the past is reproducing issues. It would require saving all previous inputs in order to be confident that we had the information to reproduce the issues. With all of this built, they found a bunch of vulns! With fuzzing, crashes are nice and expected. However, looking for side effects is equally important for finding bugs; not all bugs are binary issues that lead to a crash. The first bug was a simple directory traversal, found by the fuzzer, that could be used to overwrite a Steam DLL to get code execution. From there, they found a ton of format string issues but without %n available. Crazily enough, these were in parts of the system, like logging, that made it possible to use this as a leak. So, an attacker could steal arbitrary data from the heap and/or break ASLR on the system. When calling CRemotePlayTogetherGroupUpdateMsg, there was an SSRF issue if JSON was not returned. By specifying a URL with a GET request, arbitrary data on the network could be leaked. Besides this, a few OOB reads and writes were found in player structs, audio encoding. One of the leaks allowed them to remotely read all heap data from the process, which is super cool. Good read! The bugs are fun but the setup of the fuzzer and thought put into making the system testable was the most valuable thing to me. The SSRF issue which only leaked data if the data wasn't JSON was a good instance of fuzzing for bugs without memory corruption being the only goal. This requires you to be more active but will pay off in complicated systems like this one.
Analysis Summary
# Vulnerability: Remote Code Execution via Steam Remote Play Protocol
## CVE Details
* **CVE ID:** Not explicitly provided (referenced via HackerOne reports)
* **CVSS Score:** Reported as **High/Critical** by researcher; disputed by vendor
* **CWE:**
* CWE-22: Improper Limitation of a Pathname to a Restricted Directory
* CWE-134: Use of Externally-Controlled Format String
* CWE-918: Server-Side Request Forgery (SSRF)
* CWE-122: Heap-based Buffer Overflow
## Affected Systems
* **Products:** Valve Steam Client
* **Versions:** Steam Client versions prior to June 20, 2023 (specifically versions supporting "Remote Play Together")
* **Configurations:** Systems with Steam Remote Play enabled; vulnerability affects both the streaming host (server) and the joining friend (client).
## Vulnerability Description
Multiple vulnerabilities were discovered in the Steam Remote Play protocol, a peer-to-peer system primarily using Protobuf over UDP.
* **Path Traversal/RCE:** The `CSetTouchIconDataMsg` message allowed for a directory traversal during file operations. An attacker could write arbitrary files to the disk, specifically overwriting Steam DLLs to achieve Remote Code Execution (RCE).
* **Format String Bugs:** Found in `CRemotePlayTogetherGroupUpdateMsg` and logging components. Since `%n` was unavailable, these functioned as high-impact memory leaks to bypass ASLR and steal heap data.
* **SSRF:** Triggered via `CRemotePlayTogetherGroupUpdateMsg` when a non-JSON response was returned from a specified URL, allowing for network data exfiltration.
* **Memory Corruption:** Various Out-of-Bounds (OOB) reads/writes in player structs and heap overflows in YV12 video frame processing.
## Exploitation
* **Status:** PoC available (demonstrated to Valve via HackerOne)
* **Complexity:** Medium (Requires reverse engineering the proprietary Protobuf-based protocol and session key injection)
* **Attack Vector:** Network (Peer-to-Peer)
## Impact
* **Confidentiality:** High (Arbitrary heap memory leakage, ASLR bypass, and SSRF)
* **Integrity:** High (Arbitrary file write allows overwriting system/application binaries)
* **Availability:** High (Resulting crashes and process takeover)
## Remediation
### Patches
* **Steam Client Beta:** Fixes were pushed starting June 20, 2023.
* **Steam Client Stable:** Users should ensure they are running the latest version of the Steam Client (post-July 2023).
### Workarounds
* Disable "Remote Play" in Steam Settings (`Settings > Remote Play > Enable Remote Play [Off]`).
* Only use "Remote Play Together" with trusted Steam friends.
## Detection
* **Indicators of Compromise:** Unusual file write activity in the Steam installation directory (specifically `.dll` modifications).
* **Detection Methods:** Monitor for unexpected UDP traffic patterns on Steam Remote Play ports if the feature is not in active use.
## References
* Full Technical Write-up: hxxps[://]blog[.]thalium[.]re/posts/achieving-remote-code-execution-in-steam-remote-play/
* SSTIC 2023 Presentation: hxxps[://]www[.]sstic[.]org/2023/presentation/bug_hunting_in_steam_remote_play/
* Vendor: hxxps[://]hackerone[.]com/valve (Referenced reports)