A security researcher discovered that the official software for installing SteelSeries devices on Windows 10 may be used to get administrator access.
Using a link in the License Agreement screen that is viewed with SYSTEM capabilities, the flaw may be exploited during the device setup process. It is not essential to use a genuine SteelSeries gadget to take advantage of the flaw.
Emulating A Gadget Is Also A Possibility
The finding follows reports that the Razer Synapse program may be exploited to acquire higher access when attaching a Razer mouse or keyboard. These reports came to light over the weekend.
Encouraged by jonhat’s findings, offensive security researcher Lawrence Amer (research team leader at 0xsp) discovered that the SteelSeries device installation software may accomplish the same results.
On Monday, the researcher uncovered a privilege escalation flaw while playing with a new SteelSeries keyboard, allowing him to execute the Command Prompt in Windows 10 with administrative privileges.
However, the SteelSeries program is not limited to keyboards (Apex 7/Pro). It also installs and configures Rival 650/600/710 mice and Arctis 9, Pro headphones from the manufacturer, as well as allowing users to customize the RGB lighting on the QCK Prism gaming mousepad.
Amer began by connecting his keyboard and watching the download progress, which began with the SteelSeries software (SteelSeriesGG6.2.0Setup.exe) being downloaded to the Windows temporary folder.
This assault does not necessitate the use of a genuine SteelSeries gadget. István Tóth, a penetration testing researcher, has released an open-source script that may be used to test local privilege escalation (LPE) situations by simulating human interface devices (HID) on an Android phone.
The script can effectively imitate both Razer and SteelSeries devices, despite being an experimental version.
Tóth released a video after Amer’s study was published, illustrating that the LPE found by Amer can be accomplished with his USB Gadget Generator Tool.
Picking The Proper Setting
Amer looked for a means to load a missing DLL or EXE from directories available to unprivileged users to discover a weak point, but he couldn’t locate one.
He did note, however, that the device setup software was opened with SYSTEM permissions as soon as he downloaded it. Another process with the greatest privileges opened the door to a new attack vector.
Amer attempted to utilize the same approach that had previously worked for the Razer zero-day bug, but it failed since the installation proceeds without user involvement.
When the License Agreement emerged, it included a link to SteelSeries’ privacy policy, which was a big break for the researcher. The box for selecting a launching app displayed when you clicked on the link.
Amer put the situation to the test in a virtual computer with no file associations set up. Internet Explorer, which started as SYSTEM, was the only process that could open the URL.
It was then only a question of saving the web page in Internet Explorer and launching an elevated privileges Command Prompt from the right-click option of the “Save As” box.
Amer stated that he attempted to notify SteelSeries about the issue but was unable to locate a public bug reward program or a product security contact.
“We are aware of the issue identified and have proactively disabled the launch of the SteelSeries installer that is triggered when a new SteelSeries device is plugged in. This immediately removes the opportunity for an exploit and we are working on a software update that will address the issue permanently and be released soon” – SteelSeries spokesperson said.
Even after the vulnerability has been patched, the researcher claims that it can still be exploited. When connecting in a SteelSeries device, an attacker may save the vulnerable signed executable that was dropped in the temporary folder and use it in a DNS poisoning attack.
