Privilege Escalation vulnerability in steam's Remote Play feature leads to arbitrary kernel-mode driver installation

_Tested on Windows 10 x64_ * On Steam starting, it will check all installed files' Integrity, and re-download the modified file(s). This step makes every single file in Steam installation folder is exactly its original self. * Before the first time Steam stream to SteamLink (Remote Play feature), it makes SteamServices to install 2 kernel-mode drivers: `SteamStreamingMicrophone` and `SteamStreamingSpeakers` in `C:\Program Files (x86)\Steam\drivers\Windows10\x64`. {F792262} * From 2 points above, we can assume that if `SteamStreamingMicrophone` or `SteamStreamingSpeakers` was modified after steam starting and before being installed (the first time streaming), the "modified" driver will be installed instead of the original one. This means an arbitrary kernel-mode driver can be installed from Steam. * `SteamStreamingMicrophone.sys` and `SteamStreamingSpeakers.sys` ██████ My fake driver: {F792263} PoC Video: {F792325} ## Impact Installing kernel-mode driver, which can lead to run code in kernel-mode,...