A researcher inspired by the recent privilege elevation finding on the ‘Razer Synapse’ product has decided to take a look at similar software where the same vulnerability could be present. As he has confirmed on Twitter, the SteelSeries app is also affected by a similar issue, and in this case, the attacker wouldn’t even need to use a device from the brand. The user has also released a proof of concept video to demonstrate how trivial the exploitation would be, as long as the attacker has physical access to an unlocked Windows 10 system.
The exploitation involves a similar trick as with Razer, where the attacker would right-click on the installation location selector, opening a Power Shell prompt during the installation of the app, and gaining admin rights to run any code on the shell since the installer and anything opened through it run as NT AUTHORITY\SYSTEM. The difference in the SteelSeries case is that the right click has to be done on the License Agreement step, as the installation of the app is done on a fixed location and doesn’t let the user choose an alternative folder.
If the attacker doesn’t have a SteelSeries mouse, keyboard, or even a headset to use, emulating one using a smartphone does the trick just fine. A script that emulates a SteelSeries Apex keyboard device on Android phones is freely available on GitHub, so that aspect is covered for the attacker.
The researcher stated that he attempted to inform SteelSeries of the bug, but he couldn’t find a channel to report vulnerabilities, so he just published his finding on Twitter. After all, following the Razer finding, it is not only white-hat hackers who are on the look for bugs of this kind, and there’s no time on back n forth communication with automated responses and re-directions.
SteelSeries was quick to respond on the social media platform with the following statement:
As such, if you’re using the SteelSeries app, make sure to apply the update as soon as it becomes available. Also, secure your computer from untrustworthy physical access and lock Windows when you’re about to leave your computer unattended in risky places.