The official app for SteelSeries keyboards for Windows 10 can be exploited to gain administrator rights.
Exploiting this bug can be done during the device’s configuration process by opening a link in the License Agreement screen. The link is opened with SYSTEM privileges.
The bug was discovered by Lawrence Amer of the 0xsp team after he read a report published on the weekend about an exploit that allowed to gain elevated privileges when connecting a Razer mouse or keyboard. He was able to find a privilege escalation vulnerability that allowed him to run the Command Prompt in Windows 10 with admin privileges when installing the SteelSeries keyboard (Apex 7/Pro) software.
The SteelSeries software is also used to install and control other peripherals, such as mice (Rival 650/600/710) and headsets (Arctis 9, Pro). It also controls the RGB lighting on the QCK Prism gaming mousepad.
Amer started by plugging his keyboard to the Windows installation process, which began with the SteelSeries software.
A real SteelSeries device is not necessary to exploit the bug. A penetration testing researcher István Tóth has written an Android script that can emulate a SteelSeries device.
The company said that it was aware of the issue and took the necessary measures to prevent exploitation.
“We are aware of the issue identified and have proactively disabled the launch of the SteelSeries installer that is triggered when a new SteelSeries device is plugged in. This immediately removes the opportunity for an exploit and we are working on a software update that will address the issue permanently and be released soon,” a SteelSeries spokesperson said.
However, the researcher says that the vulnerability could still be exploited even after patching it.