SteelSeries software enables admin rights (LPE) on Windows

Windows[German]After the Razer case, the next clunker has now come to light. After it became known that standard users can become administrators with Razer mice via the driver installation, a security researcher took a closer look at the SteelSeries device software. SteelSeries' software also allows any standard user to gain administrative privileges under Windows with just a few mouse clicks. Here some information about this new security case.


What or who is SteelSeries?

SteelSeries  is a Danish manufacturer of gaming peripherals and accessories, including headsets, keyboards, mice, controllers and mouse pads. The company was founded in 2001 by Jacob Wolff-Petersen, as you can read on Wikipedia.

Local privilege escalation with driver software

It was a matter of time before the next case became public after a local privilege escalation (LPE) was documented by connecting a Razer mouse via driver installation (I had reported about LPE vulnerability in the blog post Windows 10: Administrator privileges obtained via Razer mouse via LPE vulnerability).

After the Razer issue became public, security researcher Lawrence Amer tried to run a test with another "SteelSeries" gaming keyboard he had recently purchased. After a few attempts, he came across another vulnerability that allows local privilege escalation under Windows. Attempts to contact the manufacturer via its support site were unsuccessful. Lawrence Amer documented the whole thing in this blog post on 0xsp. In a subsequent tweet, Lawrence Amer from 0xsp then publicly pointed out that he had also succeeded in local privilege escalation (LPE) on Windows for the SteelSeries devices.

SteelSeries LPE vulnerability

The attack vector is SteelSeries software, which, according to Bleeping Computer, can be used not only to configure keyboards (Apex 7/Pro), but also mice (Rival 650/600/710) and headsets (Arctis 9, Pro). After connecting a keyboard to a Windows system, the security researcher observed the rest of the installation process. 


The LPE vulnerability

During the installation, which was triggered by connecting the keyboard, the software first downloads another setup file named SteelSeriesGG6.2.0Setup.exe to the C:\windows\temp folder on Windows. However, unlike the Razer case, no folder is offered to save the driver download. So this path to local privilege escalation fails.

It was also unsuccessful in the Procmon scan for a DLL hijacking vulnerability. The application does not appear to load a missing DLL/EXE from user folders that normal users have access to. But the security researcher found another vulnerability while monitoring the setup process for the software. because after the download, another setup process starts from C:\windows\Temp\ running with SYSTEM privileges.

The security researcher then tried to launch an administrative prompt through this process. Since no user dialog was shown at all, at first it looked like the approach was impossible. But during setup, a dialog box was displayed to accept a user agreement (see the following screenshot), which requires the user to agree to continue.

SteelSeries License Agreement
Source: Lawrence Amer, 0xsp

When Amer clicked on the Learn More link in the License Agreement dialog box, Windows presented him with the dialog box to select an application to open that link (in his frest VM install links did not have an application assigned to it yet). This dialog box (see the following screenshot) is probably something most Windows users have encountered. But overall it doesn't matter, because links are associated in Windows commonly to a browser.

App association for a link
Source: Lawrence Amer, 0xsp

The security researcher then selected Internet Explorer to open the web page for this link. But then what shook me up badly: I've always imagined that Internet Explorer or a browser runs under a lower level of commitment (IL). But I guess that only applies to downloads. The screenshot of the process list published by Amer shows that Internet Explorer is running as a process with SYSTEM permissions.

Process list
Source: Lawrence Amer, 0xsp

From this point the security researcher selected the command to save the displayed web page via the context menu, so that the dialog box for selecting the save destination was displayed. There, as the default user, he could then use the Shift key in the context menu to open an administrative prompt – and he already had administrator privileges.

I have tested briefly under Windows 10 21H1. In Internet Explorer 11, I can select the command Open PowerShell window here in the context menu while holding down the Shift key. This also works in Microsoft Edge, or with browsers like Google Chrome. And if the browser in question is running with system privileges, the PowerShell window will also be given appropriate administrative permissions. However, Lawrence Amer shows a screenshot with the Command Prompt window in his article, so he seems to have used an older Windows 10.

The colleagues from Bleeping Computer point out in this article that not even a SteelSeries device is required for testing. Penetration tester István Tóth has published an open-source script that can mimic HID (Human Interface Devices) devices on an Android smartphone. It's similar to this GitHub project I linked to in the comments in the German article Windows 10: Administrator-Privilegien per Razer-Maus über LPE-Schwachstelle erhalten.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *