CVE-2016-5237

medium

Published 2017-01-23 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

4.8

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.8

Description

Valve Steam 3.42.16.13 uses weak permissions for the files in the Steam program directory, which allows local users to modify the files and possibly gain privileges as demonstrated by a Trojan horse Steam.exe file.

Predictions

Exploit likelihood

48%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-39888 local windows text · 2 KB

Gregory Smiley · 2016-06-06

Valve Steam 3.42.16.13 - Local Privilege Escalation

text exploit Source: Exploit-DB

# Exploit Title: Valve Steam 3.42.16.13 Local Privilege Escalation
# CVE-ID: CVE-2016-5237
# Date: 5/11/52016
# Exploit Author: gsX
# Contact: gsx0r.sec@gmail.com
# Vendor Homepage: http://www.valvesoftware.com/
# Software Link: http://store.steampowered.com/about/
#Version: File Version 3.42.16.13, Built: Apr 29 2016, Steam API: v017, Steam package versions: 1461972496
# Tested on: Windows 7 Professional x64 fully updated.


1. Description:

The Steam directory located at C:\Program Files (x86)\Steam implement weak
file permissions
and allow anyone in the BUILTIN\Users windows group to modify any file in
the Steam directory and any of its child files and folders.

Since Steam is a startup application by default this makes it particularly
easy to achieve lateral/vertical privilege escalation and achieve code
execution against any user running the application.


2. Proof

C:\Program Files (x86)>icacls Steam
Steam BUILTIN\Users:(F)
      BUILTIN\Users:(OI)(CI)(IO)(F)
      NT AUTHORITY\SYSTEM:(F)
      NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
      NT SERVICE\TrustedInstaller:(I)(F)
      NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
      NT AUTHORITY\SYSTEM:(I)(F)
      NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
      BUILTIN\Administrators:(I)(F)
      BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
      BUILTIN\Users:(I)(RX)
      BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
      CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files


3. Exploit:

Simply backdoor/replace Steam.exe or any other related exe's/dll's  with
the code you want to
run.

I would like to note that I contacted Valve on several occasions
and gave them plenty of time to reply/fix the issue before releasing this
entry.

References

CWEs

CWE-264

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.