Skip to main content

Now plugging in a keyboard can let you hijack Windows 10 admin rights

Avast cybersecurity
(Image credit: Avast)

A bug in the official app that helps install SteelSeries devices on Windows 10 can be exploited to obtain administrator privileges, cybersecurity experts have found.

The exploit was discovered by offensive security researcher Lawrence Amer, who was encouraged by the zero-day vulnerability discovered by another security researcher in the plug-and-play installation mechanism of Razer mice that also helped elevated privileges.

Having wondered if the same can be achieved with other devices, Amer found that the plug-and-play installation mechanism of SteelSeries devices was also exploitable.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“Since the process wrapper of this software is running with SYSTEM privileges, the attacker could abuse the installation path to launch a prompt command with the same permission,” explains Amer as he details the exploit.

Wide repercussions

Detailing the process, Amer notes that he tried a couple of things before he discovered that he could get elevated privileges during the SteelSeries keyboard setup process, using a link in the License Agreement screen that is opened with SYSTEM privileges. 

More worryingly, BleepingComputer reports that threat actors can replicate this behaviour even without using a real SteelSeries device, thanks to a script written by penetration testing researcher István Tóth, which can be used to mimic human interface devices (HID) on Android phones.

Designed specifically for testing local privilege escalation attacks, the script can successfully emulate both Razer and SteelSeries devices.

After Amer published his research, Tóth posted a video on Twitter showing that the exploit could be replicated on devices virtualized by his script.

For their part, SteelSeries told BleepingComputer that it was aware of the research, because of which it has now disabled automatically launching the installer when a device is plugged.

"This immediately removes the opportunity for an exploit and we are working on a software update that will address the issue permanently and be released soon,” said the SteelSeries spokesperson.

Via BleepingComputer

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.