** DISPUTED ** In Valve Steam Client for Windows through 2019-08-07, HKLMSOFTWAREWow6432NodeValveSteam has explicit "Full control" for the Users group, which allows local users to gain NT AUTHORITYSYSTEM access. NOTE: the vendor disputes the significance of this finding; the discoverer was reportedly told that the Steam threat model excludes "Attacks that require physical access to the user’s device" and "Attacks that require the ability to drop files in arbitrary locations on the user’s filesystem" (which might apply to the attacker’s ability to create links under HKLMSOFTWAREWow6432NodeValveSteamApps).

Source: CVE-2019-14743

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다

Time limit is exhausted. Please reload the CAPTCHA.