The official app for putting in SteelSeries gadgets on Home windows 10 might be exploited to acquire administrator rights, a safety researcher has discovered.
Leveraging the bug is feasible throughout the machine setup course of, utilizing a hyperlink within the License Settlement display screen that’s opened with SYSTEM privileges. An actual SteelSeries machine will not be essential to take advantage of the bug.
Emulating a machine additionally works
The invention comes after information broke over the weekend that the Razer Synapse software program can be utilized to realize elevated privileges when connecting a Razer mouse or keyboard.
Inspired by the analysis from jonhat, offensive safety researcher Lawrence Amer (analysis crew chief at 0xsp) discovered that the identical might be achieved with the SteelSeries machine set up software program.
Taking part in with a not too long ago acquired SteelSeries keyboard on Monday, the researcher found a privilege escalation vulnerability that allowed him to run the Command Immediate in Home windows 10 with admin privileges.
The SteelSeries software program is not only for keyboards (Apex 7/Professional), although. It additionally installs and permits configuring mice (Rival 650/600/710) and headsets (Arctis 9, Professional) from the maker; it even lets customers management the RGB lighting on the QCK Prism gaming mousepad.
Amer began by plugging in his keyboard and monitoring the set up course of, which began with downloading the SteelSeries software program (SteelSeriesGG6.2.0Setup.exe) to the Home windows momentary folder.
An actual SteelSeries machine will not be essential for this assault to work. Penetration testing researcher István Tóth revealed an open-source script that may mimic human interface gadgets (HID) on an Android cellphone, particularly for testing native privilege escalation (LPE) eventualities.
Though an experimental model, the script can efficiently emulate each Razer and SteelSeries gadgets.
After Amer revealed his analysis, Tóth revealed a video demonstrating that LPE found by Amer might be achieved utilizing his USB Gadget Generator Instrument.
Discovering the appropriate context
In looking for a weak spot, Amer poked round looking for a technique to load a lacking DLL or EXE from folders accessible to unprivileged customers however didn’t discover any.
Nevertheless, he seen that the machine setup app was launched with SYSTEM rights instantly after downloading it. One other course of working with the best privileges supplied a brand new alternative for assault.
Amer tried the identical technique that labored for the Razer zero-day vulnerability, nevertheless it didn’t work as a result of the set up carries on with out person interplay.
The researcher caught a fortunate break when the License Settlement appeared with a hyperlink to SteelSeries’ privateness coverage. When clicking on the hyperlink, the dialog for selecting a launching app appeared.
Amer examined the state of affairs in a digital machine that didn’t have file associations outlined. The one course of accessible for opening the hyperlink was Web Explorer, which spawned as SYSTEM.
From there, it was a easy matter of utilizing IE to avoid wasting the online web page and launch an elevated privileges Command Immediate from the right-click menu of the “Save As” dialog.
Amer advised BleepingComputer that he tried informing SteelSeries concerning the vulnerability however couldn’t discover a public bug bounty program or a contact for product safety.
Replying to our request for feedback on the matter, a SteelSeries consultant mentioned that the corporate was conscious of the problem and eliminated the danger of exploitation by stopping the set up software program from launching on plugging in a SteelSeries machine:
“We’re conscious of the problem recognized and have proactively disabled the launch of the SteelSeries installer that’s triggered when a brand new SteelSeries machine is plugged in. This instantly removes the chance for an exploit and we’re engaged on a software program replace that may deal with the problem completely and be launched quickly” – SteelSeries spokesperson
The researcher says that the vulnerability might nonetheless be exploited even after patching it. An attacker might save the susceptible signed executable dropped within the momentary folder when plugging in a SteelSeries machine and serve it in a DNS poisoning assault.
Replace [August 25, 04:14 EST]: Article up to date with remark from SteelSeries supplied after publication