28th August 2021, Kathmandu
Then again, you don’t even require the authentic contrivance, in this case, a SteelSeries peripheral since emulation works just fine to launch with full SYSTEM rights.
It’s not just Razer’s mice and keyboards that gobble up Windows 10’s tip-top, admin level SYSTEM privileges: A SteelSeries bug additionally tosses off Windows 10 admin rights if you just plug in a contrivance.
Then again, you can preserve yourself some cash by simply chicaning an Android phone into celebrating a local privilege escalation (LPE) testing script that is an authentic human.
At least, it did work, until SteelSeries a Danish manufacturer of gaming peripherals and adjuncts such as headsets, keyboards, mice, controllers, and mousepads patched the bug. The bug could be leveraged during the contrivance setup process, by utilizing a link in the License Accedence screen that opened with SYSTEM privileges.
0xsp research team bellwether Lawrence Amer published the bug on Monday, and BleepingComputer reported about it on Tuesday. SteelSeries later responded, telling the outlet that the company was cognizant of the issue and that it had abstracted the jeopardy of exploitation by averting the installation software from launching on plugging in a SteelSeries contrivance.
The verbalization sent to BleepingComputer: “We are cognizant of the issue identified and have proactively incapacitated the launch of the SteelSeries installer that is triggered when an incipient SteelSeries contrivance is plugged in. This immediately abstracts the opportunity for an exploit and we are working on a software update that will address the issue aeonian and be relinquished anon.”
Amer, the researcher who discovered the bug, questions the company’s assertion that its patch will fine-tune the quandary, which is that you can get plenary admin privileges on Windows 10 just by plugging in (or by mimicking plugin of) a SteelSeries contrivance.
Amer told BleepingComputer that SteelSeries’ patch wouldn’t work and that the susceptibility could still be exploited even after patching, given that an assailer could “save the vulnerably susceptible signed executable dropped in the ephemeral folder when plugging in a SteelSeries contrivance and accommodate it in a DNS poisoning attack,” as the publication reported.
DNS poisoning, aka DNS spoofing or DNS cache poisoning, entails introducing corrupt Domain Name System data into the DNS resolver’s cache, causing the denomination server to return an erroneous result record, such as an IP address.
Security is a dynamic, ever transmuting thing, as perpetual research on this bug makes clear. Early on Wednesday, Amer told BleepingComputer that affirmative, SteelSeries’ patch would work. Then, when Threatpost reached out to Amer tardy Thursday morning East Coast time to substantiate his findings, the researcher told us he’s still endeavoring to deduce whether it will or won’t work.
“I am still endeavoring to reproduce the DNS poisoning in order to accommodate the same executable, I am not sure the main reason obviated me from doing that but I cerebrate it is due to SteelSeries has revoked the whole installation, as I mentioned there fine-tune is ad interim until they pushed an update to fine-tune installer package,” Amer told Threatpost in a Twitter conversation. “From there I cerebrate we can do signed Exe poisoning. Doing hijacking for software updates is something possible but for now, I can’t plenarily substantiate as they have abstracted the consummate installer.”
Revolt of the USB Contrivances
This dyad of Windows 10 takeovers via USB plug-in contrivances Razer’s and SteelSeries’ was kicked off over the weekend. News emerged that a zero-day bug in the contrivance installer software for Razer peripherals be they a Razer mouse, keyboard or any contrivance that utilizes the company’s Synapse utility gives the plugger inner full admin rights on Windows 10, just by inserting a compatible peripheral and downloading Synapse. Razer’s Synapse software enables users to configure hardware contrivances, set up macros or map buttons.
Researchers’ interest was understandably piqued by the question of whether the bug would work with other contrivances to pull off LPE. Initial research by jonhat, the researcher who found the Razer bug, led to suggestions that the susceptibility wasn’t obligatorily confined to just Razer peripherals. One commenter, @Lechatquirit, claimed that the assailment withal works “with any Asus ROG mouse. It will prompt to install armory [sic] crate and execute it as Sys,” the utilizer tweeted in replication to jonhat. Armoury Crate is a software portal that exhibits authentic-time performance and settings information for connected contrivances and which works with ROG, TUF Gaming, and ASUS products.
As Amer’s research went on to show, the LPE will work with yet more plug-in USB contrivances, though the exploit takes on a different flavor. As mentioned, Amer found that you can get plenary admin privileges on Windows 10 just by plugging in (or by mimicking plugin) a SteelSeries contrivance, which triggers its contrivance installation software.
On Monday, Amer plugged in a SteelSeries keyboard and discovered an LPE susceptibility that sanctioned him to run the Command Prompt in Windows 10 with admin privileges, kindred to how jonhat found that when could plug in a Razer contrivance (or dongle, if it’s a wireless peripheral), Windows automatically fetches an installer containing driver software and the Razer Synapse utility. The plug-and-play Razer Synapse installation then sanctions users to gain SYSTEM privileges on the Windows contrivance lickety-split, since, as a component of the setup routine, it opens an Explorer window that prompts the utilizer to designate where the driver should be installed.
Since the RazerInstaller.exe executable was launched via a Windows process running with SYSTEM privileges, the Razer installation program inherited those same Admin privileges. Jonhat found that if a utilizer opts to transmute the default location of the installation folder, it triggers a “Choose a folder” dialog. At that point, you can right-click the installation window and press the Shift key, which opens a PowerShell terminal with those same ascended privileges.
When Amer plugged in his SteelSeries keyboard, he visually perceived that the installation process commenced with downloading the SteelSeries software (SteelSeriesGG6.2.0Setup.exe) to the Windows ad interim folder.
But as BleepingComputer pointed out, you don’t need a genuine SteelSeries contrivance to pull this off; given that perforation testing researcher Istvan Toth “published an open-source script that can mimic human interface contrivances (OBNUBILATED) on an Android phone, categorically for testing local privilege escalation (LPE) scenarios.”
That contrivance, dubbed the USB Contrivance Engenderer implement, can emulate either Razer or SteelSeries contrivances.
Amer published his research on Monday. As you can visually perceive in the video below, the method that worked with the Razer zero-day imperfection didn’t work with SteelSeries, given that its installation doesn’t require utilizer interaction. What did work to hijack privileges with SteelSeries: a link to the company’s privacy policy that appeared along with the license accedence. Amer clicked the link and found that the dialog for culling a launching app appeared.
The researcher used Internet Explorer to open the link the only available way to open it on his virtual machine. IE spawned the app with SYSTEM privileges, after which Amer used IE to preserve the web page. He then launched an ascended privileges Command Prompt by right-clicking and culling the “Save As” dialog.
Amer told BleepingComputer that he endeavored to disclose the bug to SteelSeries but verbalized that he couldn’t find a public bug bounty program or a contact for product security again, homogeneous to what transpired when jonhat initially didn’t auricularly discern back from Razer and went ahead and published his proof of concept video.
