Update at 1:50 PM EST on August 25, 2021: A spokesperson for SteelSeries told techy’s points that SteelSeries was “aware of the problem” and “actively disabled the launch of the SteelSeries installer that was triggered when a new SteelSeries device was plugged in.”
The spokesperson said: “This immediately eliminates the opportunity to exploit the vulnerability. We are developing a software update that will permanently resolve the issue and release it soon.”
Original article 8/25/2021 10:45 PM Eastern Time:
We recently reported new vulnerabilities discovered Razer equipment. Synapse software allows malicious actors to gain administrator rights for the Windows 10 operating system without any authentication. Nowadays, A new report Shows that SteelSeries and its accompanying peripheral software have also been subjected to the same type of attack.
When security researchers discovered a vulnerability in the Razer software, it seemed to open Pandora’s box. In fact, many peripheral equipment manufacturers such as Razer and SteelSeries have been releasing software that is vulnerable to exploits that grant administrator privileges to unauthorized users.
Lawrence Amer of 0xsp discovered that when you plug a SteelSeries device into your computer, Windows will automatically download the accompanying software and install it with administrator privileges. You must agree to the permission rights during the installation process, and this is where the exploit begins. There is a small “Learn More” button that points to the link you opened in Internet Explorer. In the upper right corner, there is a small gear, you can click on it to get tools. From there, you can click File> Save and open the CMD window in administrator mode from the file explorer. It really is that simple.
This is not only about @Razer… it is possible for everyone… just another priv_escalation of @SteelSeries https://t.co/S2sIa1Lvjv pic.twitter.com/E3NPQnxqo2August 23, 2021
More worryingly, another security researcher, an0n(@an0n_r0), has proven that even if you don’t have a SteelSeries device, you can trigger the software download and installation of the SteelSeries software. He just uses an Android phone that mimics the SteelSeries keyboard and uses the USBgadget generator tool.
PoC video of @SteelSeries LPE (similar to @Razer) using my Android phone (pretending to be @SteelSeries USB keyboard. :)) Use my improved USBgadget generator tool: https://t.co/Ss74xdySBg@SteelSeries LPE Found by https://t.co/QdSzZMhNER. More should follow… 🙂 pic.twitter.com/pKLKRWD8vIAugust 24, 2021
This is worrying, but the situation may be worse. This exploit requires physical access, so most users don’t need to worry. Potential attackers need an unlocked home screen, which is not easy if the user protects the computer with a password or any type of authentication.