The official app for putting in SteelSeries gadgets on Home windows 10 will be exploited to acquire administrator rights, a safety researcher has discovered.
Leveraging the bug is feasible through the system setup course of, utilizing a hyperlink within the License Settlement display screen that’s opened with SYSTEM privileges. An actual SteelSeries system isn’t crucial to take advantage of the bug.
Emulating a system additionally works
The invention comes after news broke over the weekend that the Razer Synapse software program can be utilized to realize elevated privileges when connecting a Razer mouse or keyboard.
Inspired by the analysis from jonhat, offensive safety researcher Lawrence Amer (analysis group chief at 0xsp) discovered that the identical will be achieved with the SteelSeries system set up software program.
Taking part in with a lately acquired SteelSeries keyboard on Monday, the researcher found a privilege escalation vulnerability that allowed him to run the Command Immediate in Home windows 10 with admin privileges.
The SteelSeries software program is not only for keyboards (Apex 7/Professional), although. It additionally installs and permits configuring mice (Rival 650/600/710) and headsets (Arctis 9, Professional) from the maker; it even lets customers management the RGB lighting on the QCK Prism gaming mousepad.
Amer began by plugging in his keyboard and monitoring the set up course of, which began with downloading the SteelSeries software program (SteelSeriesGG6.2.0Setup.exe) to the Home windows non permanent folder.
An actual SteelSeries system isn’t crucial for this assault to work. Penetration testing researcher István Tóth revealed an open-source script that may mimic human interface gadgets (HID) on an Android telephone, particularly for testing native privilege escalation (LPE) eventualities.
Though an experimental model, the script can efficiently emulate each Razer and SteelSeries gadgets.
After Amer revealed his analysis, Tóth published a video demonstrating that LPE found by Amer will be achieved utilizing his USB Gadget Generator Software.
Discovering the proper context
In looking for a weak spot, Amer poked round looking for a approach to load a lacking DLL or EXE from folders accessible to unprivileged customers however didn’t discover any.
Nonetheless, he observed that the system setup app was launched with SYSTEM rights instantly after downloading it. One other course of operating with the very best privileges supplied a brand new alternative for assault.
Amer tried the identical methodology that labored for the Razer zero-day vulnerability, nevertheless it didn’t work as a result of the set up carries on with out person interplay.
The researcher caught a fortunate break when the License Settlement appeared with a hyperlink to SteelSeries’ privateness coverage. When clicking on the hyperlink, the dialog for selecting a launching app appeared.
Amer examined the state of affairs in a digital machine that didn’t have file associations outlined. The one course of out there for opening the hyperlink was Web Explorer, which spawned as SYSTEM.
From there, it was a easy matter of utilizing IE to avoid wasting the online web page and launch an elevated privileges Command Immediate from the right-click menu of the “Save As” dialog.
Amer informed BleepingComputer that he tried informing SteelSeries in regards to the vulnerability however couldn’t discover a public bug bounty program or a contact for product safety.
BleepingComputer reached out to SteelSeries about this however didn’t hear again by publishing time.
The researcher says that the vulnerability may nonetheless be exploited even after patching it. An attacker may save the weak signed executable dropped within the non permanent folder when plugging in a SteelSeries system and serve it in a DNS poisoning assault.