It’s not just Razer’s mice & keyboards that eat up Windows 10’s tip-top, admin-level SYSTEM privileges: A Steel Series bug also tosses off Windows 10 admin rights if you just plug in a device.
Then again, you don’t even need the actual device – in this case, a Steel Series peripheral – since emulation works also to launch with full SYSTEM rights.
Android Phone
… Or, then again, you can save money by simply tricking an Android phone into thinking a local privilege-escalation (LPE) testing script is a real human.
… Or, at least, it did work, until Steel Series – a Danish manufacturer of gaming peripherals & accessories such as headsets, keyboards, mice, controllers & mousepads – patched the bug. The bug could be used during the device setup process, by using a link in the License Agreement screen that opened with SYSTEM privileges.
Aware of the Issue
0xsp research team leader Lawrence Amer published the bug on Mon, & Bleeping Computer reported about it on Tues. Steel Series later responded, telling the outlet that the company was aware of the issue & that it had removed the risk of exploitation by preventing the installation software from launching on plugging in a Steel Series device.
The statement it sent to Bleeping Computer:
“We are aware of the issue identified and have proactively disabled the launch of the Steel Series installer that is triggered when a new Steel Series device is plugged in. This immediately removes the opportunity for an exploit & we are working on a software update that will address the issue permanently & be released soon.”
Fix the Problem
Amer, the researcher who discovered the bug, questions the company’s assertion that its patch will fix the problem, which is that you can get full admin privileges on Windows 10 just by plugging in (or by mimicking plugin of) a Steel Series device.
Amer told Bleeping Computer that Steel Series’ patch wouldn’t work & that the vulnerability could still be exploited even after patching, given that an attacker could “save the vulnerable signed executable dropped in the temporary folder when plugging in a Steel Series device & serve it in a DNS poisoning attack,” as the publication reported.
DNS Poisoning
DNS poisoning, aka DNS spoofing or DNS cache poisoning, entails introducing corrupt Domain Name System data into the DNS resolver’s cache, causing the name server to return an incorrect result record, such as an IP address.
Security is a dynamic, ever-changing process, as ongoing research on this bug makes clear. On Wed., Amer told Bleeping Computer that yes, SteelSeries’ patch would work. Then, Amer late Thurs., the said he’s still trying to work out if it will or won’t work.
Hijacking for Software Updates
“I am still trying to reproduce the dns poisoning in order to serve the same executable, I am not sure the main reason stopped me from doing that, but I think it is due to steel series has revoked the whole installation, as I mentioned their fix is temporary until they pushed an update to fix installer package,”
Amer explained by Twitter conversation. “From there I think we can do signed exe poisoning. … Doing hijacking for software updates is something possible but for now I can’t fully confirm as they have removed … the complete installer.”
Steel Series hadn’t responded to requests for comment at this time.
USB Gadgets
This pair of Windows 10 takeovers via USB plug-in gadgets – Razer’s & SteelSeries’ – was kicked off over the weekend.
News emerged that a zero-day bug in the device installer software for Razer peripherals – be they a Razer mouse, keyboard or any device that uses the company’s Synapse utility – gives the plugger-inner full admin rights on Windows 10, just by inserting a compatible peripheral & downloading Synapse. Razer’s Synapse software enables users to configure hardware devices, set up macros or map buttons.
Researchers’ interest was raised by the question of whether the bug would work with other devices to pull off LPE. Initial research by jonhat, the researcher who found the Razer bug, led to suggestions that the vulnerability wasn’t necessarily confined to just Razer peripherals.
Software Portal
One commenter, @Lechatquirit, claimed that the attack also works “with any asus ROG mouse. It will prompt to install armory crate & execute it as Sys,” the user tweeted in response to jonhat. Armoury Crate is a software portal that displays real-time performance & settings information for connected devices & which works with ROG, TUF Gaming & ASUS products.
As Amer’s research went on to show, the LPE will work with yet more plug-in USB devices, though the exploit takes on a different ‘flavour’. As mentioned, Amer found that you can get full admin privileges on Windows 10 just by plugging in (or by mimicking plugin) a Steel Series device, which triggers its device installation software.
LPE Vulnerability
On Mon., Amer plugged in a Steel Series keyboard & discovered an LPE vulnerability that allowed him to run the Command Prompt in Windows 10 with admin privileges, similar to how jonhat found that when could plug in a Razer device (or dongle, if it’s a wireless peripheral), Windows automatically fetches an installer containing driver software & the Razer Synapse utility.
The plug-&-play Razer Synapse installation then allows users to gain SYSTEM privileges on the Windows device lickety-split, since, as part of the setup routine, it opens an Explorer window that prompts the user to specify where the driver should be installed.
SYSTEM Privileges
Since the RazerInstaller.exe executable was launched via a Windows process running with SYSTEM privileges, the Razer installation program inherited those same Admin privileges. jonhat found that if a user opts to change the default location of the installation folder, it triggers a “Choose a folder” dialog.
At that point, you can right-click the installation window & press the Shift key, which opens a PowerShell terminal with those same elevated privileges.
When Amer plugged in his SteelSeries keyboard, he saw that the installation process started with downloading the SteelSeries software (SteelSeriesGG6.2.0Setup.exe) to the Windows temporary folder.
Mimic Human Interface
As Bleeping Computer pointed out, you don’t need an actual Steel Series device to do this, given that penetration testing researcher István Tóth “published an open-source script that can mimic human interface devices (HID) on an Android phone, specifically for testing local privilege escalation (LPE) scenarios.”
That gadget, dubbed the USB Gadget Generator tool, can emulate either Razer or Steel Series devices.
Amer published his research on Mon. The method that worked with the Razer zero-day flaw didn’t work with Steel Series, given that its installation doesn’t require user interaction. What did work to hijack privileges with Steel Series: a link to the company’s privacy policy that appeared along with the license agreement. Amer clicked the link & found that the dialog for choosing a launching app appeared.
Internet Explorer
The researcher used Internet Explorer to open the link – the only available way to open it on his virtual machine. IE spawned the app with SYSTEM privileges, after which Amer used IE to save the web page. He then launched an elevated privileges Command Prompt by right-clicking & choosing the “Save As” dialog.
Amer told Bleeping Computer that he tried to disclose the bug to Steel Series but stated that he couldn’t find a public bug bounty program or a contact for product security. … again, similar to what happened when jonhat initially didn’t hear back from Razer & went ahead & published his proof-of-concept video.
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/