SteelSeries App Exploit Needs Physical Access, Doesn't Need A Device (Update)
It seems that the rather simplistic Razer zero-day vulnerability has opened a can of worms that may force accessory makers to rethink and reprogram their accompanying software. As one security researcher predicted, the vulnerability can be found in other peripherals that also install their own helper apps, including those from popular brand SteelSeries. While the same physical access to the Windows computer is still required, SteelSeries' vulnerability is potentially worse since it doesn't even require a SteelSeries device to trigger it.At the heart of the vulnerability is the way accessory makers like Razer and SteelSeries install utility software after plugging in a mouse, keyboard, or some other peripheral. The software installer itself runs with system privileges, but it also has detours that would eventually allow an attacker to open a Command Prompt or PowerShell instance with the same system access. That, in turn, would allow the attacker to do almost anything with the computer, including install malware.
Lawrence Amer of 0xsp discovered that the SteelSeries software installer was subject to the same vulnerability. The process is slightly different and longer because an attacker would have to first view the license agreement in a browser, try to save the web page, and then launch PowerShell from the file dialog that appears. Another security researcher, however, discovered that it is possible to fake a SteelSeries product, so you don't even need to plug in anything.
it is not only about @Razer.. it is possible for all.. just another priv_escalation with @SteelSeries https://t.co/S2sIa1Lvjv pic.twitter.com/E3NPQnxqo2
β π»ππ πππππ (@zux0x3a) August 23, 2021
An Android script can actually be used to mimic a new SteelSeries device that will trigger the entire process. While the script can be used to also disguise the phone as a Razer peripheral, Bleeping Computer said that the process didn't trigger Razer's vulnerability since it didn't require user interaction at all.
PoC video for the @SteelSeries LPE (similar to @Razer) using my Android phone (pretending to be a @SteelSeries USB keyboard. :))
Using my improved USBgadget generator tool: https://t.co/Ss74xdySBg@SteelSeries LPE was found by https://t.co/QdSzZMhNER. More should follow... :) pic.twitter.com/pKLKRWD8vI
β an0n (@an0n_r0) August 24, 2021
Again, physical access to a Windows computer without a desktop lock is necessary for this vulnerability to be exploited, so it isn't exactly a horrifying scenario similar to the recent PrintNightmare bug. That said, it does reveal the presumptions that developers have made in writing app installers, and, hopefully, they're already preparing a fix for these before someone comes up with a way to remotely exploit it.
Update: A SteelSeries' spokesperson reached out to us to provide an updated information on this issue.
"We are aware of the issue identified and have proactively disabled the launch of the SteelSeries installer that is triggered when a new SteelSeries device is plugged in. This immediately removes the opportunity for an exploit and we are working on a software update that will address the issue permanently and be released soon."