CVE-2016-5237

Vulnerability

Valve Steam version 3.42.16.13 installs the Steam program directory at C:\Program Files (x86)\Steam with weak file permissions. The icacls output shows that the BUILTIN\Users group has full control (F) over the directory and its subfolders and files. This misconfiguration allows any local user to modify, replace, or backdoor executables (e.g., Steam.exe) placed in that directory [1].

Exploitation

A local attacker needs only membership in the local BUILTIN\Users group, which includes all authenticated user accounts on the system. No additional privileges or user interaction are required. The attacker can simply replace Steam.exe or any related executable/DLL with a malicious version. Since Steam is typically configured as a startup application, the malicious payload will execute with the privileges of the next user who logs in and launches Steam [1].

Impact

Successful exploitation results in code execution in the context of the target user. An attacker can achieve lateral movement and privilege escalation on the system, gaining the ability to run arbitrary code as any user who launches Steam. This can lead to full compromise of the affected user's session and potentially further system access [1].

Mitigation

The vendor was contacted prior to disclosure but no fix or updated version has been released as of the publication date. Users should manually tighten permissions on the Steam installation directory by removing BUILTIN\Users write access. As a workaround, running Steam from a custom location with proper restrictive permissions may reduce risk [1].