A security researcher discovered that the official application for installing SteelSeries devices on Windows 10 can be abused to acquire administrator privileges.
The vulnerability can be exploited during the device setup process by clicking a link in the License Agreement page that is loaded with SYSTEM capabilities. It is not essential to have an authentic SteelSeries device to exploit the problem.
Possible to Emulate a Gadget?
The finding came after the disclosure of the news last week that the Razer Synapse software may be exploited to gain permissions when pairing a Razer mouse or keyboard.
Driven by Jonhat's study, security researcher Lawrence Amer (research team leader at 0xsp) discovered that the same may be accomplished with the SteelSeries device installation software.
Amer discovered a link in the License Agreement page that gets opened with SYSTEM rights during the device setup process, allowing complete admin privileges to a Windows 10 computer. He accessed the URL in Internet Explorer, it was then just a matter of using Internet Explorer to save the web page and launching elevated privileges Command Prompt from the right-click menu of the “Save As” box.
One can then move around the PC with enhanced privileges and perform whatever an admin can do. This is applicable for all SteelSeries peripherals, including mouse, keyboards, and headsets.
István Tóth, a penetration testing researcher, published an open-source script that can replicate human interface devices (HID) on an Android phone, particularly for testing local privilege escalation (LPE) situations.
Despite being an experimental version, the script is capable of effectively emulating both Razer and SteelSeries devices. Tóth released a video after Amer published his study proving that the LPE discovered by Amer can be attained.
Amer informed BleepingComputer that he attempted to notify SteelSeries about the vulnerability but was unable to locate a public bug reward program or a contact for product security.
In response to the request from BleepingComputer for comment on the topic, a SteelSeries representative stated that the firm was aware of the problem and has eliminated the danger of exploitation by restricting the installation software from starting whenever a SteelSeries device is plugged in.
SteelSeries spokesperson stated, "We are aware of the issue identified and have proactively disabled the launch of the SteelSeries installer that is triggered when a new SteelSeries device is plugged in. This immediately removes the opportunity for an exploit and we are working on a software update that will address the issue permanently and be released soon."
As per the researcher, the vulnerability may still be abused even after it has been patched. When plugging in a SteelSeries device, an attacker could save the vulnerable signed executable dropped in the temporary folder and do it in a DNS poisoning attack.