Steam’s service sets security descriptor for our target-key. Review SDDL for the key (non-interesting data is omitted):

(A;ID;KA;;;BU)(A;OICIIOID;GA;;;BU)

In other words, it means full (read and write) access to the key for all users. This is the security descriptor the service has set to the key.

So, now we have a primitive to take control on almost every key in the registry, and it is easy to convert it into a complete EoP (Escalation of Privileges). I choose key HKLMSYSTEMControlSet001Servicesmsiserver that corresponds with the service “Windows Installer”, which can be started by any user, same as Steam’s service, but run program as NT AUTHORITYSYSTEM. After taking control, it is only necessary to change ImagePath value of the HKLMSYSTEMControlSet001Servicesmsiserver key and start “Windows Installer” service. The program from ImagePath will be started as NT AUTHORITYSYSTEM.

Put all things together and we get exploit that allows running any program with the highest possible rights on any Windows computer with Steam installed.

July 20 — after the report was rejected, I informed H1, that I would disclose the details of vulnerability publicly after July 30.

August 2 — one more H1 employee appears in the thread and forbids the disclosure.

This article was ready for publication by July 30 (this date was chosen due to 45 days deadline since initial vulnerability report was sent). So, two weeks after my message, which was sent on July 20, a person appears, who tells me that my report was marked as not applicable, they closed the discussion and wouldn’t offer any explanation to me. Moreover, they didn't want me to disclose the vulnerability. At the same time, there was not even a single word from Valve. No, guys, that's not how it works. You didn’t respect my work, and that's the reason why I won’t respect yours — I see no reason why I shouldn't publish this report. Most likely I’ll be banned at H1 because of it, but it won't make me upset. [/qupte]