Windows 10 users can’t catch a break with security vulnerabilities. Earlier this week, it was discovered that plugging in a Razer peripheral into a Windows 10 PC could easily allow a user to get admin rights on that PC. Now, a very similar story has happened with SteelSeries peripherals (via BleepingComputer).
Inspired by the discovery earlier this week, security researcher Lawrence Amer, tried to look for a similar vulnerability with SteelSeries peripherals on Windows 10. Upon plugging in a SteelSeries keyboard, Windows tries to install the SteelSeries GG app, which is used for managing certain features in SteelSeries peripherals, like RGB lighting. Similar to Razer, this installer is run by the trusted SYSTEM user, which has administrator permissions.
Unlike Razer’s Synapse software, though, installation of the SteelSeries GG software initially takes place without giving users the chance to choose a folder to save the files, which was where the first vulnerability was exploited. The first installer extracts more installation files into a set location, and then the extracted installer is run, too.
At one point, the second installer presents the user with a license agreement, as you’d expect. This page includes a link to the full agreement on SteelSeries’ website. If the user hasn’t set a default browser yet, Windows 10 will prompt them to choose an app to open the link in, and if they choose Internet Explorer, the browser launches under the SYSTEM user just like the installer. At this point, all the attacker needs to do is try to save the current webpage, which opens a File Explorer window to choose a location to save the file.
— Lawrence 勞倫斯 (@zux0x3a) August 23, 2021
From there, the process is the same as with the Razer vulnerability. This File Explorer window allows anyone to easily launch a command prompt window with administrator permissions, and users can perform any action they want from there.
Not only that, but this vulnerability can’t exactly be patched. The second installer, extracted by the first one, will always run under the SYSTEM user. Even if SteelSeries fixes the issue here, the current dangerous file can be saved and distributed to carry out the attack in the future. Additionally, just like the Razer vulnerability, this doesn’t require a real SteelSeries device, as that information can be spoofed with an Android phone to trick Windows into downloading the SteelSeries software. This was demonstrated by Twitter user an0n, who had also done the same for the Razer vulnerability.
With these vulnerabilities discovered in Windows 10, it seems like this could open the floodgates. Aside from Razer and SteelSeries peripherals, other brands likely have similar software with vulnerabilities like this on Windows 10. There’s likely to be other software that can be exploited in similar ways to grant local privilege escalation, and we’ll likely hear similar stories come out in the near future.