Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Razer. Show all posts

SteelSeries Software Flaw Gives Windows 10 Admin Rights

 

A security researcher discovered that the official application for installing SteelSeries devices on Windows 10 can be abused to acquire administrator privileges. 

The vulnerability can be exploited during the device setup process by clicking a link in the License Agreement page that is loaded with SYSTEM capabilities. It is not essential to have an authentic SteelSeries device to exploit the problem. 

Possible to Emulate a Gadget?

The finding came after the disclosure of the news last week that the Razer Synapse software may be exploited to gain permissions when pairing a Razer mouse or keyboard. 

Driven by Jonhat's study, security researcher Lawrence Amer (research team leader at 0xsp) discovered that the same may be accomplished with the SteelSeries device installation software. 

Amer discovered a link in the License Agreement page that gets opened with SYSTEM rights during the device setup process, allowing complete admin privileges to a Windows 10 computer. He accessed the URL in Internet Explorer, it was then just a matter of using Internet Explorer to save the web page and launching elevated privileges Command Prompt from the right-click menu of the “Save As” box. 

One can then move around the PC with enhanced privileges and perform whatever an admin can do. This is applicable for all SteelSeries peripherals, including mouse, keyboards, and headsets. 

István Tóth, a penetration testing researcher, published an open-source script that can replicate human interface devices (HID) on an Android phone, particularly for testing local privilege escalation (LPE) situations. 

Despite being an experimental version, the script is capable of effectively emulating both Razer and SteelSeries devices. Tóth released a video after Amer published his study proving that the LPE discovered by Amer can be attained. 

Amer informed BleepingComputer that he attempted to notify SteelSeries about the vulnerability but was unable to locate a public bug reward program or a contact for product security. 

In response to the request from BleepingComputer for comment on the topic, a SteelSeries representative stated that the firm was aware of the problem and has eliminated the danger of exploitation by restricting the installation software from starting whenever a SteelSeries device is plugged in.

SteelSeries spokesperson stated, "We are aware of the issue identified and have proactively disabled the launch of the SteelSeries installer that is triggered when a new SteelSeries device is plugged in. This immediately removes the opportunity for an exploit and we are working on a software update that will address the issue permanently and be released soon." 

As per the researcher, the vulnerability may still be abused even after it has been patched. When plugging in a SteelSeries device, an attacker could save the vulnerable signed executable dropped in the temporary folder and do it in a DNS poisoning attack.

Razer Device Plug-In grants Admin Rights on Windows 10 OS

 

A zero-day vulnerability in Razer external device installation software – be it a razer mouse, a keyboard, or any other equipment using the synapse program – offers complete admin privileges to the admin using Windows 10 by plugging and installing a relevant peripheral system. 

Razer is indeed a prominent developer of gameplay mouses and keyboards and is known for providing the best computer accessories. Razer Inc. is a multinational corporation in Singapore that creates, manufactures, and sells electronics, financial services, and games consoles for consumer products. 

However, talking about windows 11, there isn’t any proof yet if it allows the same privileges to the user or not while pugging Razer peripherals. Whereas the vulnerability has nothing with it that won't allow a user to gain access but since the testing on windows 11 hasn’t been done yet, speculations cannot be made. 

In this case, the OS immediately downloads and starts the system installation of the Razer Synapse software whenever users plug a Razer hardware into Windows 10 computer system. Razer Synapse is software that enables users to set up hardware, macros, or map buttons for their hardware devices. 

Security researcher Jonhat (@j0nh4t) disclosed the flaw and tweeted about it on Twitter on Saturday 21st August, after not receiving any response from Razer initially. The tweet had been receiving attention from Razer as of Sunday 22nd August and the maker has told Jonhat that their cybersecurity team is working on a patch for this issue, to fix it at the earliest. Perhaps they gave Jonhat a bug bounty reward as well.  

In the words of the researcher, as well as Bleeping Computer too has proved in the testing itself, that Windows automatically selects an installer containing driver software and a synapse utility when a user plugs into a Razer device (or dongle if this is a wireless device). The activation of Razer Synapse Plug-and-play enables users to obtain SYSTEM permissions on the lickety-split Windows device because it displays an Explorer window as part of the set-up process, which tells users where and how to set up the driver. 

The topmost user permission level in Windows is SYSTEM Privileges: A SYSTEM account enables someone to acquire full control over the system, permitting them to see, alter or delete data; to establish new accounts having full privileges of users, and to install anything – malware included. 

The installation method for Synapse, in other terms, works with Windows 10 with the maximum privileges. The installation application Razer was given the very same administrator rights as the RazerInstaller.exe executable with SYSTEM privileges, which has been launched via a Windows process. 

Jonhat has established that a "Choose a Folder" popup will be displayed if a user decides to modify the default installation folder location. One may right-click the installation window and click the Shift key which launches a certain PowerShell terminal with the same privileges. 

Similar problems are probably identified in other products installed through Windows plug-and-play processes, as indicated by Will Dormann, a CERT/CC vulnerability analyst.