Home Internet Security SteelSeries bug gives Windows 10 admin rights by plugging in a device

SteelSeries bug gives Windows 10 admin rights by plugging in a device


SteelSeries bug gives Windows 10 admin rights by plugging in a device

The official app for putting in SteelSeries units on Home windows 10 will be exploited to acquire administrator rights, a safety researcher has discovered.

Leveraging the bug is feasible through the system setup course of, utilizing a hyperlink within the License Settlement display that’s opened with SYSTEM privileges. An actual SteelSeries system will not be needed to take advantage of the bug.

Emulating a system additionally works

The invention comes after news broke over the weekend that the Razer Synapse software program can be utilized to realize elevated privileges when connecting a Razer mouse or keyboard.

Inspired by the analysis from jonhat, offensive safety researcher Lawrence Amer (analysis staff chief at 0xsp) discovered that the identical will be achieved with the SteelSeries system set up software program.

Enjoying with a just lately acquired SteelSeries keyboard on Monday, the researcher found a privilege escalation vulnerability that allowed him to run the Command Immediate in Home windows 10 with admin privileges.

The SteelSeries software program is not only for keyboards (Apex 7/Professional), although. It additionally installs and permits configuring mice (Rival 650/600/710) and headsets (Arctis 9, Professional) from the maker; it even lets customers management the RGB lighting on the QCK Prism gaming mousepad.

Amer began by plugging in his keyboard and monitoring the set up course of, which began with downloading the SteelSeries software program (SteelSeriesGG6.2.0Setup.exe) to the Home windows non permanent folder.

An actual SteelSeries system will not be needed for this assault to work. Penetration testing researcher István Tóth revealed an open-source script that may mimic human interface units (HID) on an Android telephone, particularly for testing native privilege escalation (LPE) eventualities.

USB Gadget Generator Tool

Though an experimental model, the script can efficiently emulate each Razer and SteelSeries units.

After Amer revealed his analysis, Tóth published a video demonstrating that LPE found by Amer will be achieved utilizing his USB Gadget Generator Device.


Discovering the proper context

In looking for a weak spot, Amer poked round looking for a solution to load a lacking DLL or EXE from folders accessible to unprivileged customers however didn’t discover any.

Nonetheless, he seen that the system setup app was launched with SYSTEM rights instantly after downloading it. One other course of working with the best privileges offered a brand new alternative for assault.

Amer tried the identical methodology that labored for the Razer zero-day vulnerability, nevertheless it didn’t work as a result of the set up carries on with out person interplay.

The researcher caught a fortunate break when the License Settlement appeared with a hyperlink to SteelSeries’ privateness coverage. When clicking on the hyperlink, the dialog for selecting a launching app appeared.

Amer examined the state of affairs in a digital machine that didn’t have file associations outlined. The one course of out there for opening the hyperlink was Web Explorer, which spawned as SYSTEM.

From there, it was a easy matter of utilizing IE to save lots of the net web page and launch an elevated privileges Command Immediate from the right-click menu of the “Save As” dialog.

Amer informed BleepingComputer that he tried informing SteelSeries in regards to the vulnerability however couldn’t discover a public bug bounty program or a contact for product safety.

BleepingComputer reached out to SteelSeries about this however didn’t hear again by publishing time.

The researcher says that the vulnerability might nonetheless be exploited even after patching it. An attacker might save the susceptible signed executable dropped within the non permanent folder when plugging in a SteelSeries system and serve it in a DNS poisoning assault.

Source link